ClawHub

Clawmeter

Security checks across malware telemetry and agentic risk

Overview

ClawMeter appears to be a real cost-tracking dashboard, but its unauthenticated local API is under-scoped and may be exposed more broadly than the documentation claims.

Install only if you are comfortable with a local service indexing OpenClaw usage metadata. Before running it, verify the repository source, bind the server explicitly to localhost or put it behind authentication, avoid exposing port 3377, protect the SQLite database and .env file, and use dedicated Telegram/SMTP credentials if alerts are enabled.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (11)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The document states there are 'No external API calls' except alerts if configured, but the broader publication and feature text repeatedly promotes Telegram/email alerts, which necessarily send outbound network traffic and may transmit usage metadata off-host. This mismatch can mislead users and reviewers about the true network behavior and privacy/security posture of the skill.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The architecture document makes an inaccurate security claim by stating there is no external network access, while other sections explicitly describe outbound Telegram Bot API and SMTP notifications. Misleading security documentation can cause operators to deploy the system under false assumptions, resulting in unintended data egress or weaker review of firewall and privacy controls.

Intent-Code Divergence

Low
Confidence
85% confidence
Finding
The documentation describes the system as local-only by default while also documenting remote access patterns and external notification channels. Although this is partly qualified by 'by default,' the overall wording can still understate the real exposure model and lead users to overlook authentication, network hardening, or privacy implications when enabling optional features.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document instructs users to export a bearer token directly in the shell and to write it to a plaintext file under ~/.config/clawhub/token without any warning about shell history, process exposure, file permissions, or secret management. This can lead to credential disclosure through terminal history, shared shell sessions, backups, or world-readable files, enabling unauthorized publication or account access.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The installation instructions tell users to clone, install, ingest logs, and start the service without warning that the skill parses local session logs and may send notifications via external channels if configured. This omission increases the risk of users enabling the tool without understanding data exposure, retention, or outbound alert behavior.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README explicitly documents ingestion of OpenClaw session logs and optional transmission of budget alerts via Telegram and SMTP, but it does not clearly warn users that session metadata, model usage, timestamps, and alert contents may be sensitive operational data. This creates a real privacy/security risk because users may deploy the tool without understanding what data is collected, stored, exposed via the local API/dashboard, and sent to third-party services.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill advertises a 'Clear old cost data' capability without clearly warning that it may archive or permanently delete historical records. In an agent context, ambiguous destructive actions can lead to unintended data loss if a user issues a natural-language command without understanding its impact or retention consequences.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The alerts section documents sending notifications through Telegram and email but does not clearly warn users that operational or cost data will leave the local environment. Even if only metadata is transmitted, undocumented data egress can create privacy, compliance, or policy issues, especially in environments expecting strictly local processing.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The quickstart includes realistic credential fields for Telegram bot tokens, SMTP usernames, and app passwords but does not warn users to keep them secret, avoid committing `.env` files, or rotate exposed values. In setup guides, omission of secret-handling guidance commonly leads to credential leakage through screenshots, shell history, shared repos, or accidental publication.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The guide instructs users to ingest all existing OpenClaw session logs without noting that those logs may contain prompts, metadata, model usage history, or other sensitive operational data. This can cause users to process private data into the dashboard or expose it through the web UI and API without informed consent or minimization.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The POST /api/ingest endpoint allows any client who can reach the service to trigger a full re-ingestion of data with no authentication, authorization, CSRF protection, or rate limiting. An attacker could repeatedly invoke this expensive operation to cause resource exhaustion, duplicate processing side effects, log churn, or operational disruption, especially since the service also watches files and appears intended for local operational monitoring.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal