ClawHub

Ekybot Connector

Security checks across malware telemetry and agentic risk

Overview

This is a real remote-management connector, but it gives Ekybot persistent cloud-driven control over local OpenClaw agents with weak local approval around daemon startup, metadata upload, config changes, and workspace deletion.

Install only if you intentionally want Ekybot cloud to continuously manage local OpenClaw agents. Use a dedicated OpenClaw environment, back up ~/.openclaw first, review or disable memory sync and telemetry settings before first run, and avoid sensitive workspaces unless you accept remote desired-state changes, relay prompts, inventory upload, persistent daemon operation, and possible agent/workspace deletion from the dashboard.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (38)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill invokes sensitive capabilities including environment-variable access, file reads/writes, network connectivity, and shell execution, but does not declare corresponding permissions. This weakens reviewability and informed consent: a user may invoke installation steps that copy files, store credentials, modify local OpenClaw state, and contact a remote cloud service without an explicit permission manifest.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The documented purpose frames the skill as connector setup/onboarding, but the content also describes broader behaviors such as telemetry collection, memory synchronization of local files, background service installation, log inspection, and configuration changes. That mismatch increases the chance of users authorizing actions they did not reasonably expect, especially where local data is uploaded to a cloud service or persistence is installed.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The API reference exposes capabilities for channel creation, inter-agent messaging, and agent configuration that materially exceed the skill's declared scope of remote control, machine health, and project memory sync. This scope expansion is dangerous because it can normalize undocumented remote communication and control paths, increasing the risk of covert message relaying, unintended agent orchestration, or misuse of workspace credentials for broader actions than users expect.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The Python example contradicts the rest of the reference by using a different authentication header and a different payload structure, which can cause implementers to send secrets or telemetry incorrectly. In security-sensitive connector code, inconsistent auth and request formats often lead to broken validation, ad hoc workarounds, and accidental weakening of authentication or logging of sensitive data during troubleshooting.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code reads and rewrites the project's generic .env file in place to store a connector-specific API key. This can unintentionally alter unrelated application secrets or configuration, and because the regex replacement is simplistic, it can corrupt .env content or remove/update the wrong entry, creating integrity and availability risk for the host project.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The machine inventory payload transmits detailed per-agent metadata including workspacePath, channelKey, projectHint, bindings, and names, which goes beyond basic health or connectivity checks. In a remote-control/connector skill, these fields can expose sensitive filesystem structure, internal project identifiers, and communication-routing metadata, increasing privacy and reconnaissance risk if the backend, logs, or transport are compromised.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The deleteWorkspace method performs recursive deletion on a path that can be influenced by caller input and relies on weak path-safety heuristics such as substring checks and basename prefixes. An attacker or buggy caller could supply an unexpected path that still matches these heuristics, leading to deletion of unintended local directories and data loss beyond the connector's stated configuration responsibilities.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The file-level documentation asserts that the client only talks to localhost, but the implementation accepts OPENCLAW_GATEWAY_URL and other overrides from options and environment variables without restricting them to loopback addresses. In a connector used for remote agent control and memory sync, this mismatch can cause operators or downstream code to trust the component as local-only while it may exfiltrate prompts, session keys, and bearer tokens to an attacker-controlled remote endpoint.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The collector opens per-agent session transcript files, parses message records, and derives behavioral metadata such as message volume and last activity. Even if raw message contents are not transmitted, this exceeds the stated machine-health/connectivity scope and exposes user and agent activity patterns that may be sensitive in a remote-control connector context.

Intent-Code Divergence

Low
Confidence
76% confidence
Finding
The code claims telemetry is 'minimal' and 'no fingerprinting' while still collecting platform and Node.js version, which are identifying environment attributes. On their own these values are low sensitivity, but they can aid host profiling and create misleading assurances that reduce informed user consent and review scrutiny.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The script goes well beyond connector setup by provisioning multiple agent workspaces, rewriting OpenClaw agent configuration, enabling inter-agent communication, and orchestrating channel creation. In a connector skill, this broad system reconfiguration increases blast radius and can materially change local agent behavior without the narrow scope users would reasonably expect.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script writes SOUL.md, AGENTS.md, and communication protocol files that shape agent identity, collaboration rules, and operational behavior. This is dangerous because it silently injects persistent instructions into agent workspaces, creating an instruction-supply-chain risk that can alter future agent actions far beyond connectivity setup.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The script builds a detailed JSON health payload but never transmits it; instead it performs a GET request with only the API key header. This is a security-relevant integrity issue because operators may believe telemetry-based health validation is occurring when it is not, which can hide outages or create a false sense of monitoring coverage.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The script enumerates local agent activity files to derive last session activity, which goes beyond a minimal connectivity or machine-health check. In the context of a remote connector skill, collecting activity metadata can expose behavioral or operational information that users may not expect to leave the host.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The script header and usage text state daemon installation is optional, but later logic always verifies the daemon and starts it if absent, then fails setup if it cannot keep it running. This is a deceptive setup flow that can cause users to authorize more persistent background execution than they intended, especially for remote-control software.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The script tells the user daemon install was skipped, but immediately afterward enters a verification block that starts the daemon anyway if it is not running. For a connector enabling remote agent control, overriding a user's explicit decline materially increases risk because it creates persistence without informed consent.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
This installer does more than setup and validation: it installs or launches a long-running background daemon and verifies persistence. In the context of remote agent control and memory sync, persistent execution expands the attack surface and should be treated as sensitive behavior requiring clear disclosure and user consent.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation places installation instructions before prominently warning that local memory files may later be synchronized to Ekybot cloud. In context, this is dangerous because the skill manages agent workspaces and curated memory, so users may install and enroll before understanding that substantive local content can be uploaded remotely.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The telemetry section documents transmission of hostname, activity, usage, and system metrics without a prominent privacy notice, consent model, or minimization guidance. In the context of a remote-control connector, these fields can reveal device identity, behavioral patterns, and operational metadata to an external service, creating privacy and compliance risk even if transport is encrypted.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This client sends workspace, agent, health, and telemetry data to a remote service, but the code shown provides no user-facing notice, consent flow, or data-minimization guardrails. In a connector whose purpose is remote control and sync, network transmission is expected, but the lack of explicit disclosure and controls can still create a privacy and compliance risk if operators do not understand what metadata is being exported.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The executor performs remote-driven deletion of a local workspace via `configManager.deleteWorkspace(payload.workspacePath)` with no interactive confirmation, approval gate, or evident path safety validation in this file. In a connector designed for remote agent control, that makes destructive actions especially risky because a bad server-side operation, compromised API, or malformed payload could cause unintended local data loss.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
This code collects host, OS, configuration path/hash, include paths, managed fragment paths, and agent metadata without any visible consent, notice, or data-minimization controls in the file. For a connector intended to sync remote machine state, some inventory is expected, but the breadth of collected local system and filesystem metadata makes silent overcollection more dangerous because it can reveal environment details useful for targeting or leak sensitive operational context.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
This code deletes directories immediately with fs.rmSync(..., { recursive: true, force: true }) and provides no user-facing warning, prompt, dry-run, or recovery mechanism. In an agent-controlled integration context, silent destructive behavior increases the chance of accidental or unauthorized data loss because deletion can happen as part of automation without a human noticing in time.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Telemetry collection and transmission begin after an API health check without any clear interactive warning or consent flow informing users that system and agent activity metadata will be collected and sent. In this skill's context—remote agent control and project memory sync—users may reasonably expect connectivity checks, but not silent collection of agent/session-derived metadata, which makes the behavior more privacy-sensitive.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The script loads an API key from local config and uses it in outbound requests without prominently informing the user that credentials and workspace metadata will be transmitted to a remote service. In a connector context, network use is expected, but silent credential-backed transmission still raises consent and data-handling concerns.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal