OpenClaw Web Chat Pro

Installing the package may modify files outside this skill, and it is unclear which server file the documented startup path is meant to run.

The user is instructed to run npm install/npm start, but this lifecycle script may copy files into a different OpenClaw workspace path and suppress errors; the start target also does not match the provided code file manifest.

If exposed through the web server or insufficiently constrained, chat/API activity could cause programs to run under the installing user's local account.

The backend can spawn a local process using dynamic command and argument variables, but the skill description does not clearly disclose local command execution or its allowed scope.

A malicious message or model response could potentially run script in the browser and read page data such as session identifiers or password fields.

A shipped frontend inserts chat message content into innerHTML without escaping, which can turn untrusted user or model text into browser-executable HTML/JavaScript if that page is served.

If the service is reachable by other users or the network, unauthorized people may be able to access or use the chat app more easily.

The documented default password is weak and the CORS setting is fully permissive for a web app that stores conversations and exposes chat/history APIs.

A compromised or changed CDN script could run in the chat page and access page content.

The chat UI loads a third-party Markdown script from a CDN at runtime. This is purpose-aligned for Markdown rendering, but it is not pinned with an integrity check in the artifact.

Chat sessions may remain accessible from the same browser or exported history after the immediate task is finished.

The browser persists a session identifier, matching the advertised session-persistence feature, but persistent chat sessions can retain sensitive context.