ClawHub

Agency HQ

Security checks across malware telemetry and agentic risk

Overview

Agency HQ appears to be a legitimate dashboard, but its live mode can expose real OpenClaw prompts and activity through unauthenticated web endpoints, and the documented default mode is inconsistent with the code.

Install only if you intend to run a local dashboard over your OpenClaw activity. Set ARENA_MODE=demo unless you explicitly want live data, and do not expose the Next.js server to a network or deploy live mode without authentication and prompt redaction. Treat the dashboard as capable of showing sensitive prompts, tool usage, cron instructions, and host stats.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (10)

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
This endpoint reads local agent session and cron log files and returns snippets of raw user-authored content in its API response. Even though truncated, these snippets can contain secrets, internal instructions, filenames, credentials, or other sensitive prompt material, making this an information disclosure issue rather than a harmless visualization feature.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The route inspects host filesystem locations under OPENCLAW_HOME/HOME and traverses agent and cron directories to build its response. That broad local-data access increases the attack surface and couples a UI endpoint to sensitive host state, which is risky if the API is reachable by untrusted users or deployed in shared environments.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
This endpoint reads from directories under the user's home/OpenClaw path to count session files, which exposes information derived from local agent activity and filesystem state to API consumers. Even though it only returns an aggregate count, it still leaks operational metadata about local usage patterns and trusts environment-controlled paths, making the skill more dangerous because its stated purpose is a live office visualization that surfaces real-time agent state.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The endpoint reads agent session transcript files and returns snippets of assistant content as `currentTask`, which can expose internal prompts, work product, tool usage, or other sensitive operational data to anyone who can call the status API. In this skill's context, the feature is meant to visualize live agent activity, so the behavior is intentional, but it still expands data exposure well beyond simple status metadata.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
`execSync` builds a shell command using `agentId` interpolation inside `ps aux | grep -i "agent.*${agentId}"`, which creates a shell-injection surface if `agentId` can ever contain shell metacharacters or be influenced by untrusted data. Even if current agent IDs are static, using shell-based process inspection in a server endpoint is brittle and can lead to command execution or incorrect status reporting if assumptions change.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README explicitly states that live mode reads local OpenClaw session files, cron activity, and system statistics, but it does not clearly warn users that these sources may contain sensitive operational data. In a visualization skill meant for easy local deployment, this omission can lead users to expose agent prompts, activity history, filesystem-derived metadata, or host telemetry without informed consent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly states that live mode scans OpenClaw session JSONL files and extracts user messages and tool calls for display, but it does not provide a prominent privacy warning, consent model, or data-minimization guidance. That creates a real risk of exposing sensitive prompts, operational activity, or internal tool usage to anyone who can view the dashboard or deployed app.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code collects user activity text from local session and cron logs and returns it through an API without any evidence here of user notice, consent, or access controls. That creates a privacy and confidentiality risk because users may not expect their prompts or operational instructions to be republished in a dashboard feed.

Ssd 3

Medium
Confidence
98% confidence
Finding
This logic takes user-provided session content and surfaces it directly as activity messages. User prompts frequently contain private business context, secrets, tokens, incident details, or other sensitive text, so exposing them via an activity API creates a clear leakage channel.

Ssd 3

Medium
Confidence
98% confidence
Finding
The cron-log handling copies user prompt content from cron run files into the API output, again without sanitization beyond truncation. Scheduled jobs often contain operational commands and maintenance instructions, so this can expose especially sensitive internal workflow data to any caller of the endpoint.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal