OpenClaw Web Chat Pro
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: webchat-pro Version: 1.0.0 The skill bundle is classified as suspicious due to several significant vulnerabilities, primarily in `src/server-v15.js` and `src/public/index.html`. These include a hardcoded default password ('admin123'), plain text storage of the password in `chat-auth.json`, and client-side storage of the password in `sessionStorage`. Additionally, the `streamAI` function passes user-controlled input directly to the `openclaw agent` command, which, while using `shell: false`, could still pose a prompt injection risk if the `openclaw` agent itself is vulnerable to specially crafted arguments. The `postinstall` script in `package.json` copies files to a user's home directory, a broad permission that could be abused, though in this context it's for static assets. There is no clear evidence of intentional malicious behavior like data exfiltration or unauthorized remote control.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the package may modify files outside this skill, and it is unclear which server file the documented startup path is meant to run.
The user is instructed to run npm install/npm start, but this lifecycle script may copy files into a different OpenClaw workspace path and suppress errors; the start target also does not match the provided code file manifest.
"start": "node src/server.js", "postinstall": "cp -r public/* ~/.openclaw/workspace/chat-web/public/ 2>/dev/null || true"
Inspect package scripts before installing, avoid lifecycle scripts unless needed, and ask the publisher to remove hidden side effects and align the runtime entry point with the reviewed source.
If exposed through the web server or insufficiently constrained, chat/API activity could cause programs to run under the installing user's local account.
The backend can spawn a local process using dynamic command and argument variables, but the skill description does not clearly disclose local command execution or its allowed scope.
const child = spawn(cmd, args, { env, shell: false });Do not expose this server beyond a trusted local environment until the command execution path is reviewed, allowlisted, and documented.
A malicious message or model response could potentially run script in the browser and read page data such as session identifiers or password fields.
A shipped frontend inserts chat message content into innerHTML without escaping, which can turn untrusted user or model text into browser-executable HTML/JavaScript if that page is served.
div.innerHTML = `... ${msg.content.replace(/\n/g, '<br>')} ...`;Remove old public pages or render messages with textContent/strict sanitization before serving this app.
If the service is reachable by other users or the network, unauthorized people may be able to access or use the chat app more easily.
The documented default password is weak and the CORS setting is fully permissive for a web app that stores conversations and exposes chat/history APIs.
PASSWORD=admin123 ALLOWED_ORIGINS=*
Change the password before first use, restrict allowed origins, and keep the service bound to localhost unless it is placed behind properly configured authentication.
A compromised or changed CDN script could run in the chat page and access page content.
The chat UI loads a third-party Markdown script from a CDN at runtime. This is purpose-aligned for Markdown rendering, but it is not pinned with an integrity check in the artifact.
<script src="https://cdn.jsdelivr.net/npm/marked/marked.min.js"></script>
Bundle the dependency locally or pin it to a specific version with Subresource Integrity.
Chat sessions may remain accessible from the same browser or exported history after the immediate task is finished.
The browser persists a session identifier, matching the advertised session-persistence feature, but persistent chat sessions can retain sensitive context.
SESSION_ID = localStorage.getItem('webchat_session_id'); ... localStorage.setItem('webchat_session_id', SESSION_ID);Avoid entering secrets unless needed, clear stored sessions when finished, and protect the browser/profile used with this app.