OpenClaw A2UI

Security checks across malware telemetry and agentic risk

Overview

This skill is meant to add rich HTML cards to OpenClaw, but it does so by installing a privileged UI plugin that modifies OpenClaw files and weakens browser-rendering boundaries.

Install only if you intentionally want an administrator-level OpenClaw UI integration, not just a cosmetic reply template. Review the plugin code, restrict the manifest route, verify HTML sanitization policy, and be prepared to undo the openclaw.json and control-ui changes if the bridge misbehaves.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (10)

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The installation section instructs searching the local filesystem, selecting configuration files, copying plugin artifacts, and modifying OpenClaw configuration and deployment state. For a reply-formatting skill, these are privileged administrative actions that can create persistence, alter trust boundaries, and affect the entire host application rather than just this skill's output.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The manifest frames the skill as a presentation enhancement, but the documented lifecycle includes local plugin deployment and persistent application modification. This discrepancy makes the skill more dangerous in context because users enabling a cosmetic UI helper may unknowingly authorize system-level changes and injected browser-side code.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The plugin alters OpenClaw's core control-ui files on disk at gateway startup and shutdown, which exceeds normal UI-rendering behavior and creates a persistent code-injection point in the trusted web UI. Even if intended for compatibility, modifying application assets in place increases supply-chain and integrity risk because a skill can silently change what all administrators load in their browser.

Description-Behavior Mismatch

Low

Confidence: 93% confidence
Finding: The plugin exposes an HTTP endpoint that enumerates all skill UI configurations, which broadens data exposure beyond the stated purpose of rendering reply HTML. This can leak internal skill inventory and UI metadata to any requester, assisting reconnaissance and potentially exposing sensitive configuration details embedded in ui-config.json files.

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: The comment states the route requires authentication, but the handler performs no authentication or authorization checks and explicitly allows cross-origin reads with Access-Control-Allow-Origin: *. As a result, any website a logged-in or network-adjacent user visits could directly fetch the manifest and enumerate installed skill UI configs, creating a clear information disclosure issue and enabling cross-origin reconnaissance.

Description-Behavior Mismatch

Medium

Confidence: 87% confidence
Finding: The documented fallback goes beyond passive reply templating and instructs the agent to generate and present a standalone HTML file from the local workspace. In a skill whose purpose is UI rendering, adding local file creation plus browser/canvas presentation expands the execution surface and can enable unsafe HTML rendering paths, especially if later populated with model- or user-controlled content.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: This section explicitly describes writing a local HTML file and then presenting it via a local canvas URL, which is a capability escalation relative to a reply-formatting template library. If an agent follows this guidance with untrusted content, it can create persistent local artifacts and render active content in a context that may be less constrained than the normal chat renderer.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The plugin writes a generated JavaScript file and rewrites control-ui's index.html automatically at startup, without any explicit user confirmation or visible warning. Silent modification of trusted UI assets makes the deployment harder to audit, can survive until shutdown or crash recovery, and increases the chance that administrators unknowingly serve altered frontend code.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The document explicitly instructs operators to enable raw HTML rendering and expand the DOMPurify allowlist, which weakens a core XSS defense boundary in a chat UI that renders model output. In this skill's context, the assistant is encouraged to emit direct HTML cards, so any sanitization misconfiguration or future template deviation could allow script-capable or dangerous markup to reach users, making the risk materially higher than a generic formatting guide.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The documentation tells the agent to write into ~/.openclaw/workspace/canvas/reply.html without warning the user that a local file will be created or modified. Silent file creation is risky because it changes local state, can leave behind sensitive rendered content, and may surprise users who expected only an in-chat UI transformation.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal