Back to skill

Security audit

Agent Easy Http

Security checks across malware telemetry and agentic risk

Overview

This skill appears purpose-built rather than malicious, but it exposes OpenClaw agent control over the network with broad defaults and persistent global configuration changes that users should review carefully.

Install only if you intentionally want to expose agent execution as a network API. Prefer binding to 127.0.0.1 behind a TLS reverse proxy, or enable HTTPS before cross-host use; protect and rotate the API key; set expose_skills and allowed_agent_ids narrowly; review deny_skills; back up ~/.openclaw/openclaw.json; avoid OPENCLAW_CONFIG_SYNC_PATHS unless you need it; and disable the watchdog if you do not want automatic restart and hook-config repair.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (20)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# 2. 生成自签证书(一步到位)
    try:
        subprocess.run(
            [
                "openssl", "req", "-x509", "-new", "-nodes",
                "-key", str(KEY_PATH),
Confidence
83% confidence
Finding
subprocess.run( [ "openssl", "req", "-x509", "-new", "-nodes", "-key", str(KEY_PATH), "-sha256", "-days", str(days),

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill declares no permissions while its documented behavior clearly requires broad capabilities including network exposure, shell execution, file reads/writes, environment access, and configuration changes. This mismatch is dangerous because operators and policy systems may approve or run the skill without understanding that it can modify host config and expose agent functionality over the network.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill goes beyond running a local proxy and modifies the global OpenClaw hooks configuration in ~/.openclaw/openclaw.json. Changing shared platform-wide settings expands the blast radius: a proxy deployment can alter how all hook callers behave, and mistakes or abuse could weaken isolation or disrupt other components.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The watchdog does more than maintain the proxy process: it detects and repairs OpenClaw configuration automatically. This persistence/self-healing behavior is risky because it can reapply sensitive global changes after an administrator intentionally reverts them, making unauthorized or accidental configuration drift harder to stop.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The skill can propagate its OpenClaw configuration changes to external configuration sources via OPENCLAW_CONFIG_SYNC_PATHS. This substantially increases impact because a local skill action may modify centralized or shared config, potentially affecting multiple environments or causing security settings to persist beyond the host where the proxy was intended to run.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill advertises itself as a per-skill HTTP proxy but also exposes `/agent/run`, a general-purpose agent execution endpoint that is not restricted to a named skill. This broadens the attack surface substantially because any authenticated caller can send arbitrary prompts to the underlying agent, potentially bypassing intended skill-level exposure controls and deny-list assumptions.

Context-Inappropriate Capability

Medium
Confidence
80% confidence
Finding
The file includes process-management behavior such as auto-starting and controlling a watchdog, which exceeds a minimal authenticated proxy role and increases operational side effects. In a security-sensitive deployment, hidden or unexpected service supervision can complicate containment, monitoring, and change control, especially if operators believe they are deploying only a thin HTTP facade.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
This is a real weakness: the helper creates the shared HTTP root directory with mode 0755 even though the comment states it should be 0700. While the API keys and HMAC secret files are later written with 0600 and their subdirectories with 0700, a world-readable/traversable root can still expose directory names, certificate material locations, and any future files or subdirectories created under the root with weaker defaults. In the context of an HTTP-exposing agent skill, that increases local information disclosure risk on multi-user hosts or shared containers.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The watchdog does more than supervise process health: it reads and conditionally rewrites OpenClaw hook configuration, auto-runs a hook setup wizard, and copies the hook token into a local config file. This expands the script's authority from service recovery into credential and platform configuration management, increasing the blast radius if the watchdog is triggered unexpectedly or runs with elevated privileges.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README explicitly promotes exposing the agent over the network with HTTP as the default and does not clearly warn that API keys, prompts, outputs, and potentially sensitive agent actions will traverse the network unencrypted. In this skill context, the service is a remote control surface for an agent, so lack of transport security materially increases risk of credential interception, request tampering, and session data disclosure on any untrusted or shared network.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The guide normalizes exposing the agent service over network IP using plain HTTP by default, which sends both the X-API-Key and all agent prompts/results in cleartext to anyone able to observe the network path. Because this service exposes remote agent execution capability, interception or tampering could lead to unauthorized agent use, prompt/result disclosure, and possibly command or workflow abuse through the proxied agent interface.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The client examples instruct users to read a live API key from disk and send it in requests, but do not clearly warn that the key is a bearer credential that must be tightly protected from shell history, logs, screenshots, copied scripts, and permissive file permissions. In the context of a service that remotely triggers agent execution, API key leakage directly enables unauthorized use of the exposed agent endpoint.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The design explicitly sends full SKILL.md contents and a callback URL to the agent for each request, which can disclose internal prompt logic, embedded secrets, operational instructions, or internal network details to downstream components and logs. This enlarges the sensitive data footprint and can aid prompt injection, data exfiltration, or SSRF-style abuse if callback targets are not tightly controlled.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The v2 workflow contemplates sending messages to external recipients as part of agent-driven execution without any stated consent, approval, or disclosure model. That creates a clear risk of unintended outbound disclosure of user data, business information, or agent-generated content to third parties.

Missing User Warnings

Medium
Confidence
76% confidence
Finding
The code silently starts a watchdog subprocess by default, with only minimal console messaging after the fact and no clear up-front consent at the decision point. While not a classic exploit primitive, undisclosed background process creation is risky in agent tooling because it changes persistence and runtime behavior in ways operators may not expect.

Missing User Warnings

Medium
Confidence
74% confidence
Finding
The server forwards user messages and parameters to another HTTP endpoint (`/hooks/agent`), and by default the product description emphasizes zero-friction HTTP exposure. In this context, insufficient disclosure is risky because sensitive prompts or secrets submitted by API clients may traverse the network or be processed by another component without callers clearly understanding the data flow.

External Transmission

Medium
Category
Data Exfiltration
Content
CERT=<workspace>/.http/certs/server.crt

# 跑指定 skill
curl --cacert $CERT -H "X-API-Key: $API_KEY" \
     -H "Content-Type: application/json" \
     -d '{"message":"运行 hello-env"}' \
     https://192.168.1.10:7720/skills/hello-env/run
Confidence
87% confidence
Finding
curl --cacert $CERT -H "X-API-Key: $API_KEY" \ -H "Content-Type: application/json" \ -d '{"message":"运行 hello-env"}' \ https://192.168.1.10:7720/skills/hello-env/run # 通用 agent 入口 curl

External Transmission

Medium
Category
Data Exfiltration
Content
banner("Step 4/5: TLS / HTTPS")
    print("HTTPS 提供传输层加密,但需要生成自签证书 + 客户端导入,有一定门槛。")
    print("说明:")
    print("  - 不开 HTTPS  → 调用方直接 curl 即可,零门槛(推荐先跑通再加 TLS)")
    print("  - 开 HTTPS    → 调用方需要 --cacert 指定证书(或导入系统信任库)")
    if config.get("listen_host") == "0.0.0.0":
        print("  ⚠️  当前监听 0.0.0.0(局域网可达),如有跨机器调用强烈建议开 TLS")
Confidence
90% confidence
Finding
curl 即可,零门槛(推荐先跑通再加 TLS)") print(" - 开 HTTPS → 调用方需要 --cacert 指定证书(或导入系统信任库)") if config.get("listen_host") == "0.0.0.0": print(" ⚠️ 当前监听 0.0.0.0(局域网可达),如有跨机器调用强烈建议开 TLS") pr

Tool Parameter Abuse

High
Category
Tool Misuse
Content
## 8. 常见问题

### Q1:客户端报「证书不受信任」
A:把 `~/.http/certs/server.crt` 加到客户端 CA 信任链,或临时用 `curl -k` 跳过校验(仅调试)。

### Q2:服务起不来,提示「api_key 不能为空」或「hook_url 无法解析」
A:跑一遍向导:`python3 scripts/server.py init`(会启用 OpenClaw hooks + 生成 API Key)。
Confidence
93% confidence
Finding
curl -k

Tool Parameter Abuse

High
Category
Tool Misuse
Content
print(f"证书路径:{CERT_PATH}")
    print()
    print("【curl】")
    print(f"  curl --cacert {CERT_PATH} https://your-host:port/health")
    print("  # 或临时跳过验证:curl -k https://...")
    print()
    print("【Python requests】")
Confidence
90% confidence
Finding
curl --cacert {CERT_PATH} https://your-host:port/health") print(" # 或临时跳过验证:curl -k

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
references/deployment.md:122