ClawHub

Agent Manager

Security checks across malware telemetry and agentic risk

Overview

This is a real agent-management tool, but it exposes unsafe unauthenticated controls that can run shell commands and delete local agent data.

Review before installing. Use only on a trusted local machine, do not expose port 3000, rotate any token matching the examples, and fix authentication, CORS, command execution, path validation, and delete safeguards before using it with important OpenClaw agents or sensitive conversations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (15)

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The origin metadata says this installed skill is 'tavily-search' while the surrounding manifest context describes 'agent-manager'. This mismatch can break provenance and trust decisions, causing a user or platform to believe one skill was installed when the recorded source points to another, which enables confusion, misattribution, or accidental execution of the wrong capability.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The README includes a concrete OpenClaw token in a configuration example, which conditions users to reuse a real-looking secret and may directly expose valid credentials if the token is genuine. In an agent-management platform that can add, chat with, delete, and pair agents, compromise of this token could enable unauthorized control over agents and access to their conversations or integrations.

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
The documentation claims to fix shell injection by using a 'parameterized' command, but the example still uses child_process.exec with string interpolation, which is shell-interpreted. If agentId or related inputs are attacker-controlled, this can lead to command injection and arbitrary command execution on the host.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The CLI builds shell command strings and executes them with execSync to invoke curl, including interpolated HTTP method, URL path, and JSON body data. This creates command-injection risk if any interpolated value contains shell metacharacters or quotes, and it also unnecessarily grants the tool shell execution capability far beyond normal agent-management needs.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The code builds shell commands as strings and executes them via zsh, including a curl command that embeds JSON in single quotes. If any interpolated value ever contains shell metacharacters or a single quote, this can break quoting and enable command injection or unintended command execution; even if current values are mostly fixed/local, the pattern is unsafe and fragile. In an agent-management context that handles local workspaces and registration data, shell execution increases risk because future changes or attacker-controlled data could turn this into arbitrary local code execution.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The delete endpoint irreversibly removes an agent directory from disk via `rm -rf` with no authentication, authorization, or server-side confirmation mechanism. If the service is reachable by an attacker or an untrusted webpage due to permissive CORS, agents can be destroyed remotely, causing permanent loss of local data and configuration.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The helper executes shell commands using `exec(..., { shell: 'zsh' })`, and later user-controlled values are interpolated into command strings. In `/api/agents/:id/chat`, `agentId` is derived from the URL parameter and inserted into the shell command without robust escaping, creating a command injection path that can lead to arbitrary command execution on the host.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The guide tells users how to extract an Operator Token from a local pairing file and place it into config.json, but it gives no warning that this token is a sensitive credential with potentially powerful access to the OpenClaw gateway. In a multi-agent management skill, encouraging direct handling of bearer-style credentials without storage, rotation, or least-privilege guidance increases the risk of credential leakage through shell history, screenshots, copied files, or accidental source control commits.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The document advertises automatic local saving of chat history and image inputs as a feature, but does not clearly warn that sensitive prompts, model outputs, and uploaded images will persist in browser storage. For a tool that centralizes conversations with multiple agents, retained local data can expose private business data or credentials to anyone with access to the browser profile, shared machine, backups, or malicious extensions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation instructs users to extract an operator token directly from a local file and display it via shell commands, but it does not clearly warn that this is a sensitive credential. This increases the risk of accidental exposure through shell history, screenshots, logs, clipboard leakage, or reuse in insecure configuration files.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The UI allows users to upload images and send chat content to backend API endpoints, but there is no visible notice explaining that this data will be transmitted to a server or potentially retained. In a multi-agent chat tool, prompts and images may contain sensitive personal or business information, so lack of disclosure creates a real privacy and compliance risk even if the transport itself is intended behavior.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Conversation history is stored in localStorage without informing the user, which means chat contents persist on the device across sessions and are accessible to any script running in the same origin. In a chat application handling agent conversations and image references, this can expose sensitive content to other users of the browser profile or to future XSS in the same application.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script automatically creates directories and writes or replaces IDENTITY.md, SOUL.md, and config.json without an explicit confirmation prompt or safe-guarded preview. This can overwrite trusted local metadata, import unexpected workspace contents, and cause integrity issues or user confusion, especially because it scans directories automatically under the user's home path. In a local agent-management tool, silent mutation of agent state is more dangerous because these files likely influence downstream agent behavior.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Deletion is an irreversible destructive operation, yet the server performs it immediately after receiving the request and does not enforce any authentication, role check, or secondary confirmation. In this context, lack of a warning is not merely UX debt: combined with open API exposure it materially increases the chance of accidental or malicious data destruction.

Tool Parameter Abuse

High
Category
Tool Misuse
Content
});

/**
 * DELETE /api/agents/:id - 删除 Agent
 */
app.delete('/api/agents/:id', async (req, res) => {
  try {
Confidence
97% confidence
Finding
DELETE /api/agents/:id

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal