ClawHub

Openclaw Link

Security checks across malware telemetry and agentic risk

Overview

ClawLink looks like a legitimate agent-collaboration tool, but it enables networked task delegation and shared file exchange with under-scoped security guidance.

Install only if you intentionally want trusted OpenClaw sessions to communicate. Keep the relay on localhost when possible, use a strong token for any LAN use, do not follow the unauthenticated 0.0.0.0 README example, and avoid internet tunnels unless you add HTTPS/WSS, authentication, and network access controls. Treat incoming tasks and shared files as untrusted until reviewed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill clearly instructs use of network communication, file sharing, file reads/writes, and optional environment-based token handling, yet it declares no permissions. That mismatch weakens user awareness and any permission-gating model, which is especially risky here because the skill enables cross-instance communication and collaborative file operations across machines.

Intent-Code Divergence

Low
Confidence
92% confidence
Finding
The documentation promises header-based authentication, but the middleware also accepts the shared token in the URL query string for WebSocket upgrades. Query-string secrets are commonly exposed through logs, browser history, proxy caches, referrer leakage, and monitoring systems, making accidental credential disclosure more likely than with headers. In this skill's context, the server coordinates multiple agents and can expose delegated tasks, broadcasts, and shared file contents, so even a low-severity auth-handling weakness increases risk on a LAN-deployed relay.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README promotes cross-machine agent discovery, task delegation, knowledge sharing, collaborative file editing, and internet exposure, but provides no warning about authentication, authorization, confidentiality, or integrity risks. In this skill context, the feature set directly enables remote agent-to-agent influence and file sharing, so omitting security guidance can lead users to expose sensitive data or allow untrusted peers to affect agent behavior and shared artifacts.

Missing User Warnings

High
Confidence
95% confidence
Finding
The quick start tells users to run the relay on 0.0.0.0 and elsewhere recommends internet tunneling, effectively encouraging broad network exposure with no visible warning or hardening guidance. For an agent-mesh system that supports delegation and collaborative file operations, exposing the relay can permit unauthorized discovery, message injection, task abuse, data exfiltration, or tampering if access controls are weak or absent.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The activation guidance is very broad, covering generic phrases like asking another agent to help or any multi-agent collaboration. In this skill's context, over-triggering is dangerous because activation can lead to network setup, peer discovery, task delegation, and shared file access, expanding the attack surface and increasing the chance of unintended data exposure or unsafe cross-session actions.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The protocol explicitly supports collaborative file writes but does not warn that any connected agent may be able to modify shared artifacts, potentially overwriting files, injecting malicious content, or causing unsafe downstream actions if those files are later trusted or executed. In a multi-agent mesh, shared file operations are a high-risk primitive because they cross trust boundaries and can turn one compromised or misconfigured agent into a write-capable attacker against other participants' workflows.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The document recommends exposing the relay through ngrok or Cloudflare Tunnel without a prominent warning that the protocol has no authentication by default and does not encrypt traffic unless additional protections are added. Given the skill's purpose is cross-machine agent communication, this guidance could lead users to publish an unauthenticated control and file-sharing plane to the internet, enabling unauthorized agent registration, message interception, task injection, or manipulation of shared work.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal