OpenClaw Web Chat Pro
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This looks like a web chat app, but it needs review because it includes under-disclosed local command execution, unsafe install-time side effects, and weak default access controls.
Only install this in a trusted local test environment after inspecting the package scripts and server code. Consider running npm install with scripts disabled for review, change the default password immediately, restrict CORS/origin exposure, and do not expose the server to a network until the command-execution and unsafe rendering issues are resolved.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the package may modify files outside this skill, and it is unclear which server file the documented startup path is meant to run.
The user is instructed to run npm install/npm start, but this lifecycle script may copy files into a different OpenClaw workspace path and suppress errors; the start target also does not match the provided code file manifest.
"start": "node src/server.js", "postinstall": "cp -r public/* ~/.openclaw/workspace/chat-web/public/ 2>/dev/null || true"
Inspect package scripts before installing, avoid lifecycle scripts unless needed, and ask the publisher to remove hidden side effects and align the runtime entry point with the reviewed source.
If exposed through the web server or insufficiently constrained, chat/API activity could cause programs to run under the installing user's local account.
The backend can spawn a local process using dynamic command and argument variables, but the skill description does not clearly disclose local command execution or its allowed scope.
const child = spawn(cmd, args, { env, shell: false });Do not expose this server beyond a trusted local environment until the command execution path is reviewed, allowlisted, and documented.
A malicious message or model response could potentially run script in the browser and read page data such as session identifiers or password fields.
A shipped frontend inserts chat message content into innerHTML without escaping, which can turn untrusted user or model text into browser-executable HTML/JavaScript if that page is served.
div.innerHTML = `... ${msg.content.replace(/\n/g, '<br>')} ...`;Remove old public pages or render messages with textContent/strict sanitization before serving this app.
If the service is reachable by other users or the network, unauthorized people may be able to access or use the chat app more easily.
The documented default password is weak and the CORS setting is fully permissive for a web app that stores conversations and exposes chat/history APIs.
PASSWORD=admin123 ALLOWED_ORIGINS=*
Change the password before first use, restrict allowed origins, and keep the service bound to localhost unless it is placed behind properly configured authentication.
A compromised or changed CDN script could run in the chat page and access page content.
The chat UI loads a third-party Markdown script from a CDN at runtime. This is purpose-aligned for Markdown rendering, but it is not pinned with an integrity check in the artifact.
<script src="https://cdn.jsdelivr.net/npm/marked/marked.min.js"></script>
Bundle the dependency locally or pin it to a specific version with Subresource Integrity.
Chat sessions may remain accessible from the same browser or exported history after the immediate task is finished.
The browser persists a session identifier, matching the advertised session-persistence feature, but persistent chat sessions can retain sensitive context.
SESSION_ID = localStorage.getItem('webchat_session_id'); ... localStorage.setItem('webchat_session_id', SESSION_ID);Avoid entering secrets unless needed, clear stored sessions when finished, and protect the browser/profile used with this app.