ClawHub

Agents-Manager-and-IM

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real local OpenClaw agent manager, but it exposes powerful local controls unsafely and includes a token-like secret in the package.

Review carefully before installing. Only run it on a trusted local machine, avoid exposing port 3000 to a network, remove and rotate any real OpenClaw token included in the files, and do not use it for sensitive agents until shell command execution, authentication, path validation, and deletion safeguards are fixed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (17)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill advertises no declared permissions while the implementation reportedly uses environment access, network access, and shell-like capabilities. This creates a transparency and consent problem: operators may install or trust the skill without understanding it can inspect local state, communicate externally, or invoke system-level behavior. In a multi-agent management context, undeclared capabilities are especially risky because the tool may have access to many agents, local workspaces, and sensitive configuration data.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
This is more than a documentation issue: the declared UI/chat purpose does not match materially more powerful behaviors such as scanning ~/.openclaw directories, creating and deleting agent files, probing a local gateway service, and exposing hardcoded gateway token/config values. Hidden management, discovery, and credential-related behavior expands the attack surface and can lead to unauthorized access to local agents, leakage of secrets, or destructive modification of agent state. The mismatch makes the skill more dangerous because users would reasonably expect a benign chat UI, not local enumeration and agent lifecycle control.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
This helper builds a shell command string containing method, URL, and JSON body, then executes it with execSync. Although the current callers use mostly fixed endpoints, the body includes user-controlled values such as agent name, description, and chat message; embedding JSON inside single quotes makes shell-quote breaking possible, enabling command injection if a value contains a single quote and shell metacharacters.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
simpleFetch constructs `curl ... -d '${JSON.stringify(options.body)}'` and executes it with `shell: 'zsh'`. User-supplied fields from CLI operations, especially chat messages and agent metadata, flow into the JSON body; a single quote in input can terminate the shell string and allow arbitrary command execution on the local machine running the CLI.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code builds shell command strings and executes them with execSync(..., shell: 'zsh') to talk to the local API. Even though current inputs are mostly constant, this pattern is dangerous because any future variable interpolation into method, URL, or body can become shell injection, and it unnecessarily expands the attack surface compared with using native HTTP APIs.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The helper wraps shell execution with `exec(..., { shell: 'zsh' })`, creating a general command-execution primitive that is later used with user-influenced data. In this skill's context, a conversation-management UI does not need arbitrary shell invocation, so this materially increases the risk of command injection and unsafe expansion of privileges through downstream routes.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The delete route performs `rm -rf` through the shell on a path partly derived from a request parameter. Even though the path is quoted, using shell-based recursive deletion for user-triggered operations is dangerous because path handling mistakes, symlink issues, or future changes can turn this into destructive filesystem loss.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The server exposes an unauthenticated DELETE endpoint that permanently removes agent directories from disk using a recursive shell command. In this skill context, a web UI for agent management makes destructive filesystem actions especially risky because any party who can reach the service may delete agents and associated data without authorization or recovery.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
A hardcoded OpenClaw token is embedded in source code, which creates a credential exposure risk for anyone with read access to the file, repository, logs, backups, or deployed artifact. In an agent-management service, a valid management token can enable unauthorized access to internal agent infrastructure and lateral movement into the local automation environment.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation explicitly shows how to extract an Operator Token from a local pairing file, but does not warn that this token is a sensitive credential that can grant privileged access to the OpenClaw gateway. In the context of a multi-agent management platform, exposing token-retrieval steps normalizes insecure handling and increases the chance users will paste, store, or share the credential unsafely.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The guide describes browser local storage as 'safe and private' while also stating that chat history and uploaded images are automatically saved. That wording is misleading because browser-stored data can be accessible to other local users, browser profiles, extensions, backups, or anyone with access to the machine, creating privacy and data-retention risk for potentially sensitive conversations and images.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The UI allows users to upload images and send chat content to backend API endpoints, but it provides no notice that this data leaves the browser and may be processed or retained server-side. In an agent-management tool, users may paste sensitive prompts, credentials, or proprietary images, so lack of disclosure meaningfully increases privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Chat history is persisted in localStorage without notifying the user, which can expose prior conversations to anyone with access to the same browser profile or to malicious scripts if the origin is later compromised. Because this application manages multiple agents and potentially sensitive conversations, silent client-side persistence raises confidentiality concerns.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The chat endpoint constructs a shell command using request-derived values (`id`, `message`, workspace path) and executes it without meaningful safety boundaries. Escaping only double quotes and newlines is insufficient for shell safety, and the endpoint effectively bridges unauthenticated chat input into command execution, which is especially dangerous for an internet-exposed management UI.

Missing User Warnings

High
Confidence
99% confidence
Finding
This finding reflects the same underlying issue as the hardcoded token: a credential is embedded in code without disclosure or protection. The core danger is not lack of warning but secret exposure itself, which can lead to unauthorized use of the OpenClaw environment.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The chat endpoint constructs a shell command containing user-controlled message content and executes it with exec(..., { shell: 'zsh' }). Escaping only double quotes and newlines is insufficient; shell metacharacters inside double quotes, especially command substitution like $(...) or backticks, may still execute, enabling remote command execution on the host from a crafted chat message.

Missing User Warnings

High
Confidence
96% confidence
Finding
The deletion route performs irreversible removal of filesystem content on the server without any authentication, authorization, or server-side confirmation gate. Because this is a remotely reachable management API, the danger is unauthorized destruction of agent state and possible broader filesystem impact if path handling is ever abused.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal