ClawHub

Openclaw Interaction Bridge

Security checks across malware telemetry and agentic risk

Overview

The bridge mostly does what it advertises, but it handles approval authority through local HTTP using reusable secrets and session identifiers, including logging the expected approval secret on failed callbacks.

Install only if you control and trust the Snarling or custom endpoint and understand that approval prompts, notification text, session identifiers, and callback secrets are sent to a local HTTP service. Set a strong OPENCLAW_APPROVAL_SECRET, keep callbacks localhost/private, avoid sensitive notification text, and patch the version so failed approval callbacks never log the expected secret.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill declares no permissions while its documented behavior clearly requires environment variable access and network communication. This is dangerous because it hides the true trust boundary from reviewers and users, making it easier to install a plugin that can exfiltrate data, open callback surfaces, or communicate with external services without explicit consent.

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The documented purpose understates materially sensitive behaviors: registering callback endpoints, waking sessions, manipulating TaskFlow state, and collecting interaction statistics. Even if these features support the bridge use case, omitting them from the high-level purpose reduces transparency and may cause users to trust a plugin that exposes inbound control paths or behavioral telemetry they did not expect.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The approval request sends the sessionKey to an external local service even though the bridge only needs to display/relay approval state. A session identifier can enable session correlation, misrouting of callbacks, or unauthorized event injection if the external program is compromised or another local process can intercept or impersonate the service.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README documents that agent state, approval requests, notification contents, session identifiers, and callback metadata are transmitted to another service, but it does not provide a clear privacy warning, data-classification guidance, or limits on what information may be sent. Even though the default target is localhost, the README explicitly encourages adapting this bridge to other interaction surfaces, which increases the chance that sensitive agent activity or user-facing content could be exposed beyond the local machine.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The notification feedback loop collects behavioral interaction data such as whether the user revealed or dismissed a notification and how long it took to respond, but the documentation provides no clear privacy warning or consent language. This is risky because such timing and interaction data can be used to profile user behavior, attention patterns, or habits beyond the core functionality of showing notifications.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Sensitive values are posted over plain HTTP to localhost, including the approval secret and sessionKey. Localhost is not a trust boundary: other local users, malware, containers, browser-based localhost attacks, or a rogue process bound to port 5000 could capture these values and forge approval callbacks or interfere with agent control.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The notification path also sends approvalSecret and sessionKey over plain HTTP to the external service. Exposure of these values broadens compromise from notifications into approval/session control, allowing a malicious or spoofed local service to impersonate legitimate feedback and potentially influence agent behavior.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The plugin constructs callback URLs over plain HTTP and relies on transmitting session-related identifiers and approval metadata to local endpoints without transport protection or explicit user disclosure. Even on localhost, unencrypted loopback IPC can expose sensitive workflow state to local malware, hostile co-tenants, debugging proxies, or misrouted port-forwarding setups, and approval events are security-sensitive because they gate agent actions.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The notification tool forwards agent-controlled message content to an external local HTTP service without any trust boundary warning, content minimization, or confidentiality protection. If the agent includes sensitive prompt, user, or task data in notifications, that information is exfiltrated from the core runtime into another process, expanding the attack surface and potentially leaking secrets to logs or compromised local services.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly describes collecting detailed notification interaction telemetry such as whether a user revealed, dismissed, or timed out a notification and using that data for 'attunement,' but it does not provide a meaningful privacy notice, consent model, retention guidance, or limits on secondary use. Even though this is documented behavior rather than hidden exfiltration, it creates a real privacy risk because user behavior data is being captured and used to adapt agent behavior without clear disclosure or controls.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The documentation explicitly describes notification and approval callbacks that transmit user interaction telemetry such as reveal/dismiss actions and time-to-reveal, but it does not provide a clear user-facing privacy notice, consent model, retention guidance, or data-minimization statement. This is a genuine privacy/security concern because behavior telemetry can reveal habits and presence patterns, especially when tied to a physical device and human approval workflow.

External Transmission

Medium
Category
Data Exfiltration
Content
// Notify snarling display directly (port 5000) - no middleman
  // Include sessionKey so snarling can pass it back in the callback URL
  try {
    await fetch("http://localhost:5000/approval/alert", {
      method: "POST",
      headers: { "Content-Type": "application/json" },
      body: JSON.stringify({
Confidence
79% confidence
Finding
fetch("http://localhost:5000/approval/alert", { method: "POST"

External Transmission

Medium
Category
Data Exfiltration
Content
// Notify snarling display directly (port 5000)
  try {
    await fetch("http://localhost:5000/approval/alert", {
      method: "POST",
      headers: { "Content-Type": "application/json" },
      body: JSON.stringify({
Confidence
77% confidence
Finding
fetch("http://localhost:5000/approval/alert", { method: "POST"

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal