Back to skill

Security audit

ChatClaw — Dashboard

Security checks across malware telemetry and agentic risk

Overview

ChatClaw mostly matches a remote dashboard bridge, but it also lets the cloud side manage cron jobs and local skills with broad operator authority that is not fully scoped or disclosed.

Install only if you trust ChatClaw/SumeraLabs, the cloud dashboard, and anyone who can access the API key. Treat this as granting persistent remote ability to chat with the agent, read workspace files through the gateway, manage installed skills, and manage scheduled tasks; avoid sensitive workspaces unless those controls are acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The skill implements full cron job management capabilities (list, add, update, remove, run) that are not disclosed in the manifest, which materially expands its authority beyond the described chat/dashboard integration. Hidden task scheduling can be abused for persistence, repeated execution, or stealthy automation on behalf of the operator, making the mismatch itself security-relevant.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The declared scopes include broad administrative and write privileges such as operator.admin, operator.approvals, operator.pairing, and operator.write, which exceed the manifest's stated read-only browsing and chat features. Overbroad permissions violate least privilege and increase the blast radius if the skill is compromised, misused, or behaves unexpectedly.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The skill description frames task management as dashboard integration, but the code lets the remote cloud endpoint create, update, delete, and trigger cron jobs on the local agent. That gives a remote service persistent control over local automated actions, which is materially more powerful than passive dashboard visibility and could be abused if the cloud account, relay, or API key is compromised.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The skill claims read-only workspace browsing, but it silently edits openclaw.json to enable a local HTTP chat endpoint. Hidden configuration mutation expands the local attack surface and violates user expectations about the scope of the skill's access.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill accepts remote messages that invoke local CLI commands to list skills, enable or disable them, and reinstall them via clawhub. Even though subprocess_exec avoids shell injection, this still grants the remote relay powerful host-management capability that can alter local agent behavior and install new code.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README advertises real-time remote chat, token tracking, task management, and workspace browsing through a cloud relay, but it does not clearly warn users that prompts, responses, metadata, and potentially sensitive agent context may be transmitted to a third-party service. In a security-sensitive agent ecosystem, lack of explicit disclosure and consent can lead users to enable the skill without understanding the data exposure and trust implications.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill exposes a destructive cron deletion operation with no built-in confirmation, policy gate, or safety interlock. In a skill that already has hidden cron-management capability, this increases the risk of accidental or unauthorized removal of scheduled tasks and could be used to disrupt automation or cover tracks.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The cloud relay can request file listings and file contents from the local agent, and the code forwards that data back to the remote service with no visible consent, filtering, or path sensitivity checks in this file. In context, a dashboard relay makes this more dangerous because remote file browsing is a primary feature and could expose secrets from the workspace if the remote side is compromised or over-privileged.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill relays user prompts and model responses between the local agent and the cloud dashboard, which inherently transmits potentially sensitive chat content off-host. This may be expected for remote chat, but without explicit in-code consent, data classification, or redaction controls, it still creates a privacy and data-exposure risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This client establishes a persistent WebSocket to a third-party cloud relay and relays agent messages, but the code shown contains no mechanism for user notice, consent, or policy enforcement around what data leaves the local environment. In the context of an agent skill that supports remote chat, token tracking, workspace browsing, and skill management, this can expose prompts, outputs, metadata, and potentially sensitive workspace-derived content to the cloud service without an explicit user-facing warning.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
gateway_client.py:113