ClawHub

Openclaw Control Center

Security checks across malware telemetry and agentic risk

Overview

This is a coherent local dashboard skill, but it can collect and save sensitive OpenClaw operational details while requesting broad execution/control tools.

Install only if you want a local OpenClaw operations dashboard and are comfortable with it reading session, cron, gateway, plugin, and security-status data. Do not share the generated HTML or screenshots from professional mode. Prefer specific triggers like "OpenClaw control center," review the generated file location, and treat the optional full deployment instructions as separate software installation requiring repository and dependency review.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (11)

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The manifest requests the exec capability even though the skill is presented as a browser-based visualization and control-center experience. Command execution materially expands the attack surface: if the UI, gateway integration, or any downstream action path is compromised or overly permissive, the skill could execute arbitrary system commands rather than merely display state.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The professional-mode rules explicitly allow exposing sensitive operational internals such as Session Key, Job ID, Payload, security configuration diffs, architecture details, and complete API/WebSocket inventories. In a control-center skill, aggregating and presenting these secrets and attack-surface details materially increases the chance of unauthorized disclosure, operator error, or downstream compromise if the dashboard is viewed by an unintended user or rendered in a less-trusted context.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
Documenting and displaying a complete REST and WebSocket inventory exposes a high-value map of the system's reachable interfaces. That information is rarely necessary for routine dashboard use and can directly aid reconnaissance, targeting, and misuse of internal or administrative endpoints.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The document exposes unusually deep operational details for a dashboard-oriented skill, including runtime stack, exact versions, build commit, loopback service ports, API paths, auth model, plugin inventory, cron/job identifiers, and session/logging details. Even if intended for local technical troubleshooting, this materially lowers the effort for an attacker or malicious insider to map the environment, target reachable local services, and identify weak points such as disabled sandboxing or long retention windows.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The file claims a read-only/safe posture, but also documents mutation-capable endpoints such as POST support for cron management. This creates a dangerous trust mismatch: operators or downstream agents may assume the environment cannot change state while the documented interface still permits state-changing actions if a token is obtained, increasing the risk of unauthorized task creation, persistence, or operational tampering.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The install guide includes a natural-language prompt asking the AI to install the skill automatically, which can encourage users to delegate filesystem changes and setup actions through a broad conversational trigger rather than an explicit, narrowly scoped command. In a skill ecosystem, this increases the chance of unintended installation behavior or prompt-triggered execution patterns, especially if similar phrasing is reused or imitated by malicious skills.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger phrase “系统状态” is broad and likely to appear in normal user requests unrelated to this specific skill. In an agent environment, overly generic activation phrases can cause unintended skill invocation, leading to unexpected collection and display of operational data.

Vague Triggers

Medium
Confidence
96% confidence
Finding
The trigger word “dashboard” is extremely generic and can collide with many ordinary requests about dashboards in general. This increases the chance of accidental activation of a skill that gathers runtime state and opens/generated local HTML without clear user intent.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README states that the AI will automatically collect real-time data, generate an HTML dashboard, and open it in a browser, but it does not clearly warn users about what data is gathered, where the file is written, or who may access it locally. Because the dashboard includes potentially sensitive operational details such as sessions, cron jobs, plugins, API endpoints, and security settings, silent generation of a persistent local file creates unnecessary exposure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The professional mode explicitly includes sensitive operational data such as Session Key, job payloads, WebSocket addresses, and Gateway API endpoints, but the skill provides no access-control check, masking, or user warning before collecting and rendering them. In a visual dashboard skill, this materially increases the risk of credential exposure, internal topology disclosure, and leakage of task contents to anyone with local access to the generated HTML or browser session.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document explicitly tells users to hand an AI agent a natural-language instruction to clone a repository, install dependencies, build, and start software on the local machine. That is dangerous because it delegates shell execution, file writes, and network retrieval to an agent without requiring confirmation, sandboxing, pinning, or a warning that arbitrary code from the repository and its dependencies will execute.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal