ClawHub

Agents-Manager-and-IM

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real OpenClaw agent manager, but it exposes powerful unauthenticated controls that can run shell commands and create or delete local agent files.

Install only after review. Run it on a trusted local machine, do not expose port 3000, back up ~/.openclaw first, avoid sensitive chats/images because history persists in the browser, and prefer a version that removes shell-string execution, validates agent IDs/paths, adds authentication, and handles the Operator Token as a secret.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (16)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill advertises no declared permissions while the documented behavior and analyzer indicate environment access, network use, and shell-capable operations. This is dangerous because users and tooling may grant trust based on incomplete declarations, even though the skill reads local token material and interacts with local services and filesystems.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The documented purpose presents a chat-management UI, but the analyzed behavior includes broader and more sensitive capabilities such as scanning workspace directories, creating and deleting agent files, writing identity/persona files, health-checking services, and exposing pairing-related functionality. This mismatch is dangerous because it obscures the real attack surface: a user expecting a simple UI may unknowingly run code that can modify local agent state, remove data, or access pairing/token-related resources.

Intent-Code Divergence

Medium
Confidence
79% confidence
Finding
The documentation presents the platform as keeping data locally in the browser and emphasizing privacy, but it also requires a Node server and a server-side config containing a sensitive Operator Token. This can mislead users about the actual trust boundary and where sensitive data or conversation content may transit or be exposed, increasing the risk of unsafe deployment or credential handling.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
API requests are built by interpolating method, URL, and JSON body into a shell command and executing curl via execSync. Because the request body can include user-controlled data such as agent name, description, and chat message, shell metacharacters like single quotes can break out of the quoted -d argument and trigger command injection on the local machine.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The main request helper used by the CLI also assembles curl commands as strings and runs them in zsh. User-supplied values from create and chat are serialized into JSON and then embedded inside single quotes, so crafted input containing quotes or shell syntax can escape the payload and execute arbitrary commands with the privileges of the CLI user.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The script scans the user's ~/.openclaw directory, discovers workspace-* folders, creates agent directories, copies files, and writes new config files. For a skill described as a conversation-management UI, these local filesystem discovery and mutation behaviors exceed the stated scope and can modify user state without explicit consent, increasing the risk of unintended registration or data exposure.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
The code invokes shell commands via execSync and constructs a curl command string dynamically. Even though the current target is localhost, shell-based execution expands the attack surface and can become command-injection-prone if method, endpoint, or body contents ever become less controlled or are influenced by external input.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The server exposes shell-command execution through exec() for both chat handling and deletion, and user-controlled data influences the constructed command. Although quotes in the message are partially escaped, using a shell at all for routine API actions creates command-injection risk and unnecessarily broadens the server's capabilities beyond a chat UI.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The skill exposes shell execution and filesystem mutation capabilities through a web service, including creating directories/files and invoking shell commands. In this context, those primitives are used to service HTTP requests and later combine with user-controlled values, substantially increasing the attack surface and enabling destructive or code-execution outcomes if abused.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The guide instructs users to directly extract an Operator Token from a local credential file and place it into configuration without any warning about secrecy, least privilege, or storage protections. That encourages insecure credential handling and could lead to token leakage through shell history, screenshots, copied config files, version control, or accidental sharing, potentially allowing unauthorized control of the OpenClaw environment.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The configuration example explicitly instructs users to place an operator authentication token in a local JSON file without any warning about secrecy, storage protections, or accidental disclosure. In an agent-management skill, this is more sensitive because the token likely grants control over multiple agents or gateway operations, so careless handling could enable account or infrastructure abuse.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The page persists per-agent chat history in localStorage without any notice, consent flow, retention control, or sensitivity warning. In this skill's context, chats may contain prompts, model outputs, and base64-encoded uploaded image data, so anyone with access to the same browser profile or any script running in the origin can read that data, creating privacy and data exposure risk.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The client sends user-entered messages and uploaded image data to backend chat endpoints with no visible notice that content leaves the browser and is transmitted to a server. Because this is an agent-management interface that encourages multi-agent conversations and image uploads, users may share sensitive business or personal data without realizing it is being sent off-device.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script creates directories and writes IDENTITY.md, SOUL.md, and config.json automatically, while also copying files from existing workspaces, without prompting the user or previewing changes. This can overwrite expected state, import unreviewed content, and make persistent changes to the local agent environment with only progress messages as notice.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The delete route performs irreversible filesystem deletion immediately and also uses a shell-backed `rm -rf`. In this file there is no server-side confirmation, authorization, or safety check beyond path existence, so accidental or unauthorized requests could destroy agent data.

Tool Parameter Abuse

High
Category
Tool Misuse
Content
});

/**
 * DELETE /api/agents/:id - 删除 Agent
 */
app.delete('/api/agents/:id', async (req, res) => {
  try {
Confidence
98% confidence
Finding
DELETE /api/agents/:id

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal