ClawHub

OmniPermission (Human-in-the-Loop)

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real mobile approval plugin, but it needs review because it exposes its approval secret too easily and has under-disclosed external data handling.

Install only if you trust the OmniPersona/OmniPermission backend and understand it is not a hard security boundary when the agent can run OpenClaw CLI commands. Use isolated mode for sensitive workflows, avoid sharing status output, rotate the key if it was exposed, and verify what the mobile approval prompt actually shows before relying on it for high-risk tools.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The `status` command reads the persisted secret key and prints it verbatim to stdout. This exposes a sensitive credential to terminal history, screen recording, shoulder surfing, logging pipelines, or remote shell/session capture, which is especially risky because this plugin manages approval/security controls.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README explicitly states that the agent's intent and parameters are sent to a mobile app for approval, but it does not clearly warn users that sensitive prompt contents, tool arguments, secrets, personal data, or repository data may be transmitted off-host to a separate service/device. Because this plugin is meant to intercept high-risk actions across tools like Slack, Telegram, and GitHub, the forwarded data may contain confidential material, making the omission a meaningful privacy and data-handling vulnerability.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs users to install a mobile app and route approval workflows through it, but it does not clearly warn that tool-call metadata will be transmitted to an external app/service. This can cause users to unknowingly expose command names, arguments, file paths, or operational context outside their local environment.

Missing User Warnings

High
Confidence
98% confidence
Finding
The recommendation to fork the implementation and include the agent's internal reasoning or project identifiers in mobile notifications encourages transmission of highly sensitive data to an external service without any warning about confidentiality risks. Internal reasoning, secrets, customer data, file contents, or regulated project metadata could be exposed through push notifications, app storage, logs, or backend systems.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The code explicitly logs `keyContent.trim()` in the status output with no masking or warning. Even though this is a local CLI, secrets displayed on consoles are commonly captured by shell scrollback, shared terminals, support screenshots, CI/automation wrappers, and endpoint monitoring tools, turning a local usability feature into credential disclosure.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code persists an OmniPersona UUID key in plaintext on disk under the plugin state directory without any access controls, encryption, or user-facing notice. If the local filesystem, plugin state directory, backups, or logs are exposed to another local user, malware, or a compromised process, the key can be recovered and used to impersonate or access the associated service.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal