Agents-Manager-and-IM

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real OpenClaw agent manager, but it exposes powerful local agent controls through unsafe shell-backed web APIs.

Review and harden this before installing. Run it only on a trusted local machine, back up ~/.openclaw first, avoid real Operator Tokens in plaintext config, do not expose the server to a network or untrusted browser pages, and replace shell-built commands with argument-based process calls or native HTTP/filesystem APIs plus authentication for create, chat, and delete operations.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (18)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill advertises and documents capabilities that involve shell execution, network access, and environment/file access, but it does not declare corresponding permissions. This creates a trust and review gap: users may install it expecting a UI-only chat manager while it can invoke CLI commands and access local OpenClaw data.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The documented purpose presents the skill as a conversation management UI, but the described behavior extends to agent creation/deletion, workspace scanning, shell command execution, token-related flows, and local service probing. That mismatch is dangerous because it obscures privileged operations and can cause users to grant trust to a tool that performs broader, more sensitive actions than advertised.

Context-Inappropriate Capability

Medium

Confidence: 99% confidence
Finding: The README exposes a concrete hardcoded OpenClaw token and instructs users to place it directly into configuration. This is a real secret exposure risk: anyone who reads the file can reuse the credential to access the associated gateway or service, and README files are commonly copied, shared, or committed to source control.

Intent-Code Divergence

Medium

Confidence: 98% confidence
Finding: The 'fixed' example still uses child_process.exec with a shell-interpolated command string containing agentId, while claiming it is parameterized. If agentId is attacker-controlled or insufficiently validated, this can lead to shell injection and arbitrary command execution on the host.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The CLI builds shell commands with string interpolation and executes them via execSync using curl. User-controlled data such as agentId and message can flow into the command string, and JSON.stringify does not make shell-safe arguments, so crafted input containing quotes or shell metacharacters can break out of the intended curl invocation and execute arbitrary local commands.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The skill claims message isolation, but stores all agent chat history in a single browser localStorage namespace. On a shared browser profile or multi-user workstation, any script running in the same origin or any later user of that profile can access prior conversations and uploaded image data, undermining the advertised isolation guarantee.

Context-Inappropriate Capability

High

Confidence: 92% confidence
Finding: The helper wraps child_process.exec with a shell (`zsh`), creating a generic shell-execution primitive in a web server. In a multi-agent manager this is dangerous because later routes feed user-influenced values into shell commands, so this abstraction materially increases risk of command injection and unintended system command execution.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The chat endpoint builds a shell command using user-derived data (`message` and route `id`) and passes it to `exec`, escaping only double quotes and newlines. This is insufficient for shell safety in zsh, so crafted input can break command context or inject additional shell syntax, leading to remote code execution under the server user's privileges.

Context-Inappropriate Capability

High

Confidence: 96% confidence
Finding: Agent deletion is implemented with `rm -rf` executed through the shell using a path influenced by the request parameter `id`. If path or shell handling is bypassed or manipulated, this creates a destructive primitive capable of deleting arbitrary files or directories accessible to the service.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The server exposes shell execution as a core mechanism and later feeds user-influenced values into shell commands. Even though some quoting is attempted, using exec with a shell for agent chat and deletion creates a serious command-injection surface and amplifies damage because commands run on the host with filesystem access.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The guide instructs users to extract an Operator Token from a local credential store and place it into config without clearly warning that it is a sensitive secret. This increases the risk of credential leakage through copied commands, screenshots, checked-in config files, or insecure local storage, which could enable unauthorized control of the OpenClaw gateway or associated agents.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The guide instructs users to place an operator authentication token directly into config.json without any warning about file permissions, secret handling, or avoiding source control. In an agent-management platform, exposure of this token could let an attacker control agents or access the OpenClaw gateway with operator privileges.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The README includes a sensitive token in a sample config without any warning about secret handling. In the context of an agent-management platform, this is especially dangerous because the credential may grant control over multiple agents or backend operations, amplifying the blast radius of disclosure.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The instructions tell users to place an Operator Token into config.json without strong handling guidance, which encourages storing a sensitive credential in a likely plaintext project file. This increases the risk of accidental disclosure through source control, logs, backups, screenshots, or local compromise.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill instructs users to print a token directly from ~/.openclaw/devices/paired.json without warning about exposure risks. Displaying secrets on the terminal or copying them manually can leak credentials via shell history, shared terminals, screen recording, or clipboard compromise.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: Chat messages and uploaded image data are retained in localStorage without any notice, consent, or retention disclosure. Because localStorage is long-lived and readable by any JavaScript executing on the same origin, sensitive conversation content can be exposed beyond the user's expectation.

External Transmission

Medium

Category: Data Exfiltration
Content: const method = options.method || 'GET'; const body = options.body ? JSON.stringify(options.body) : null; let cmd = `curl -s -X ${method} "${url}"`; if (body) { cmd += ` -H "Content-Type: application/json" -d '${body}'`; }
Confidence: 92% confidence
Finding: curl -s -X ${method} "${url}"`; if (body) { cmd += ` -H "Content-Type: application/json" -d

External Transmission

Medium

Category: Data Exfiltration
Content: const url = API_BASE + endpoint; const method = options.method || 'GET'; let cmd = `curl -s -X ${method} "${url}"`; if (options.body) { cmd += ` -H "Content-Type: application/json" -d '${JSON.stringify(options.body)}'`; }
Confidence: 92% confidence
Finding: curl -s -X ${method} "${url}"`; if (options.body) { cmd += ` -H "Content-Type: application/json" -d

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal