Manus on OpenClaw
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: manus-openclaw-bridge Version: 1.0.2 The skill bundle contains critical shell injection vulnerabilities in 'scripts/manus_submit.sh' and 'scripts/manus_get_task.sh', where user-provided prompts and task IDs are expanded inside double-quoted strings in curl commands, potentially allowing Remote Code Execution (RCE). Furthermore, there is a significant security discrepancy: 'SKILL.md' and 'SECURITY.md' claim that all downloads are restricted to HTTPS and allowlisted hosts, but 'scripts/manus_slides_json_to_pptx.mjs' fails to implement these checks, allowing plain HTTP and arbitrary host connections. While these appear to be unintentional security flaws rather than deliberate malware, they represent a high-risk attack surface for prompt-driven exploitation.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or compromised slides JSON bundle could make the user's machine fetch unexpected external or internal URLs and potentially write/overwrite files near the chosen output path.
The slide JSON controls image URLs and slide IDs. This helper accepts non-HTTPS HTTP URLs, follows redirects without host revalidation, and writes to a path influenced by slideId, unlike the safer Python collector.
const imgUrl = obj.images?.[slideId]; ... const client = url.startsWith('https:') ? https : http; ... const imgPath = path.join(outDir, `${String(i + 1).padStart(2, '0')}_${slideId}.png`); ... await download(imgUrl, imgPath);Do not use the slide converter on untrusted JSON until it enforces HTTPS, Manus-host allowlisting, redirect revalidation, size limits, and safe filename/path sanitization.
Users may believe all downloads are constrained to safe Manus HTTPS hosts when the slide-conversion path is not.
The documentation presents a strong download-safety model, but one included downloader used by the slides workflow does not implement that model.
SKILL.md: "Downloader accepts only HTTPS URLs from allowlisted Manus-controlled hosts." / mjs: "const client = url.startsWith('https:') ? https : http;"Either update the converter to match the documented safety rules or clearly document that only the Python collector is protected and the slide converter should be treated as untrusted-input sensitive.
Anyone who can read the local config file or change the configured API base could affect or misuse Manus API access.
The skill requires a Manus API key and sends it to the configured Manus API endpoint. This is expected for the integration, but it is still delegated account authority.
SKILL.md: "MANUS_API_KEY (required, local only, stored in ~/.config/manus-openclaw-bridge/manus.env)"; manus_submit.sh: "--header \"API_KEY: ${MANUS_API_KEY}\""Use a dedicated least-privilege Manus API key, keep the config file private, and verify MANUS_API_BASE points to the official Manus endpoint.
The converter may fail or load whatever pptxgenjs version is present in the local Node environment.
The slide converter depends on an external Node package, but the artifacts provide no package manifest, lockfile, or pinned install path.
metadata: "No install spec"; scripts/manus_slides_json_to_pptx.mjs: "import PptxGenJS from 'pptxgenjs';"
Add a package manifest and lockfile or document a pinned, trusted install command for pptxgenjs.