Back to skill

Security audit

Mission Control Builder

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed template for building a local OpenClaw dashboard, but users should keep it private because it can expose local memory previews through an unauthenticated web app.

Install only if you want to build a local personal dashboard. Do not expose the generated Next.js app to the public internet until you add authentication and access controls, and review the memory sync path so it does not serve private notes, secrets, or overly broad files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The `/api/sync` route reads Markdown files from a local OpenClaw memory directory under the server user's home directory and returns their contents over an HTTP endpoint with no authentication or consent gate. This can expose sensitive notes, prompts, secrets, or personal data to any party that can access the dashboard, making the skill materially riskier because memory browsing is a core feature and the route is presented as ready-to-use code.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.