ClawHub

Vpn Mesh

Security checks across malware telemetry and agentic risk

Overview

This is a real VPN mesh tool, but it mishandles sensitive VPN key material and under-discloses high-impact network and privacy behavior.

Install only if you are prepared to audit and modify it first. Do not publish or share registry.json produced by the Python setup path unless private_key is removed and existing keys are rotated. Expect setup to reveal your public IP/location to ipapi.co, expect registry/map features to contact external services, and review wg0.conf before running sudo wg-quick because it changes firewall and traffic-routing behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (13)

Tainted flow: 'registry_url' from os.environ.get (line 319, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
registry_url = os.environ.get("VPN_MESH_REGISTRY", DEFAULT_REGISTRY)
    try:
        import urllib.request
        with urllib.request.urlopen(registry_url, timeout=10) as resp:
            data = json.loads(resp.read().decode())
            nodes = data if isinstance(data, list) else data.get("nodes", [])
            # Filter out current node
Confidence
88% confidence
Finding
with urllib.request.urlopen(registry_url, timeout=10) as resp:

Lp3

Medium
Category
MCP Least Privilege
Confidence
85% confidence
Finding
The skill metadata understates its effective capabilities relative to what the documentation describes: shell execution, filesystem access, environment use, and network interaction. In a security-sensitive skill that configures VPN routing and handles cryptographic material, incomplete or misleading permission/capability disclosure reduces informed consent and can cause users or platforms to grant unsafe trust to the skill.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
This is a substantive mismatch, not just a documentation gap. The described behavior includes external geolocation lookups, public registry interaction, third-party web asset loading, and—most seriously—the note that a private WireGuard key may be stored in registry.json, which would completely undermine the claim of local-only secret handling and could expose VPN identity and traffic routing trust.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The node registry object includes the WireGuard private key and is written to registry.json, mixing highly sensitive credential material with shareable node metadata. In a VPN mesh/exit node context this is especially severe, because anyone who obtains that file can impersonate the node, decrypt/control tunnel participation, or pivot through the mesh.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The documentation encourages users to publish node details, detect geolocation, and route traffic through peers, but does not clearly warn that this may expose public IP address, approximate location, service availability, and traffic egress responsibility. In a VPN exit-node context, lack of explicit privacy and legal-risk warning is dangerous because operators may unknowingly accept network exposure and liability.

Natural-Language Policy Violations

High
Confidence
94% confidence
Finding
The skill explicitly promotes bypassing geo-restrictions and accessing blocked services through foreign exit nodes. That materially increases abuse potential by framing the tool for evasion of jurisdictional or platform access controls, making harmful or policy-violating use more likely.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script automatically contacts external geolocation services to determine the host's public IP, country, and city without first obtaining explicit user consent or clearly warning that this disclosure will occur. In a VPN/mesh-node context, this is more sensitive than usual because it reveals metadata about a node intended for network routing and can expose operator location and IP to third parties.

Missing User Warnings

High
Confidence
99% confidence
Finding
The private key is silently stored in registry metadata without warning, increasing the chance users will back up, share, or publish the file as ordinary node information. For a VPN exit-node skill, concealed storage of a tunnel private key in metadata materially increases compromise risk and can expose all trust anchored to that identity.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
During setup, the skill contacts ipapi.co to discover external IP, country, and city without clear prior notice or consent. Although not credential theft, it leaks host metadata to a third party and is more sensitive here because the tool is explicitly about networking, routing, and node location disclosure.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The skill automatically fetches a remote node registry over the network without clear disclosure, exposing usage patterns and trusting external infrastructure by default. In this mesh context, undisclosed network access is more dangerous because fetched data can shape peer selection and alter where traffic is routed.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The generated config adds PostUp/PostDown iptables rules that modify forwarding and NAT behavior, but the tool does not prominently warn users that connecting will alter system firewall and routing state. For a VPN exit-node skill, silent firewall modification can unintentionally expose the host as a transit node or disrupt local network policy.

Ssd 4

Medium
Confidence
88% confidence
Finding
The narrative normalizes use of foreign relay nodes to avoid country-based controls, which meaningfully lowers the barrier to misuse. In context, this is not a neutral VPN example: it specifically conditions users toward circumvention behavior in a mesh of agent-operated exit nodes.

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
python3 ~/.openclaw/skills/vpn-mesh/scripts/setup.sh

# 3. Start the VPN interface (requires WireGuard installed)
sudo wg-quick up ~/.openclaw/vpn-mesh/wg0.conf

# 4. See your node on the map
python3 ~/.openclaw/skills/vpn-mesh/scripts/mesh_map.py --html
Confidence
74% confidence
Finding
sudo

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal