ClawHub

Reverse proxy from internet to open claw

Security checks across malware telemetry and agentic risk

Overview

This skill appears intended to expose OpenClaw remotely, but it grants public API access and handles reusable credentials with weak safeguards.

Install only if you intentionally want to publish your OpenClaw API on the internet. Review the scripts first, install Homebrew and Tailscale yourself if possible, do not share the generated credentials broadly, rotate the token after any sharing, and verify authentication is working before leaving Funnel enabled.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (24)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill invokes shell scripts but does not declare permissions, which hides its true execution capabilities from users and any permission-gating system. In a skill whose purpose is to expose a local service publicly, undeclared shell access materially increases risk because it can install software, edit configuration, and restart services without clear upfront disclosure.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The documented purpose understates the actual behavior: beyond connectivity setup, it appears to install/manage software, authenticate the user, change OpenClaw security settings, restart the gateway, test the exposed endpoint, and package credentials into a shareable folder. That mismatch prevents informed consent and can lead users to approve a much broader and riskier workflow than expected, including credential handling and public exposure of a local service.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The README explicitly instructs users to create and share a package containing live credentials and test tooling for third parties. That goes beyond merely enabling connectivity and directly encourages distribution of reusable API access, which meaningfully increases the chance of unauthorized use, credential leakage, and loss of control over the exposed OpenClaw instance.

Description-Behavior Mismatch

Low
Confidence
80% confidence
Finding
The README documents persistent storage of an authentication token in a local credentials file and instructions for regeneration/sharing, which expands the skill's effective behavior into credential lifecycle management. Persistent secret storage increases exposure if the host is compromised, backed up insecurely, or the file is mistakenly shared.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script enables both chatCompletions and responses endpoints while the skill description only speaks about exposing OpenClaw publicly via an ecto connection. Expanding externally reachable API surface beyond what users are told increases attack surface and can unintentionally expose additional functionality to the internet.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The script installs Homebrew by piping a remotely fetched script from GitHub directly into bash. This creates a supply-chain and remote code execution risk: if the network, source, or repository is compromised, arbitrary code will run on the host.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
This script is explicitly designed to package and distribute a reusable bearer token and endpoint to another party, which materially expands access beyond simply exposing a service via Tailscale Funnel. Because the token is copied into a shareable folder and documented for direct API use, anyone who receives or intercepts the package can invoke the API until the token is rotated.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill's stated purpose is enabling external access, but this script adds credential delegation to other users by creating a redistribution package containing active API credentials. That broadens the trust boundary and enables uncontrolled downstream sharing, making misuse, leakage, and unauthorized continued access much more likely.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
This status script goes beyond passive inspection by loading a stored bearer token and performing an authenticated request to a remote API. That creates unnecessary credential use and network side effects for a command a user would reasonably expect to be read-only, increasing the chance of accidental token exposure, audit noise, or unintended interaction with the exposed service.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README promotes 'one-command' public exposure of OpenClaw via Tailscale Funnel without any prominent warning that this publishes a previously local service to the internet. In this skill context, the omission is dangerous because users may enable remote access without understanding privacy, abuse, cost, or data-exposure consequences.

Missing User Warnings

High
Confidence
97% confidence
Finding
The README tells users to share the credentials file with 'anyone' they want to give access, but does not plainly state that the file contains a bearer token granting live API access to their OpenClaw instance. Bearer tokens are effectively passwords, so broad sharing enables misuse, resale, leakage through chat/email/cloud drives, and persistent unauthorized access until rotation.

Vague Triggers

Medium
Confidence
89% confidence
Finding
Broad activation phrases like 'connect' and natural-language triggers for 'expose openclaw publicly' increase the chance of accidental invocation of a high-impact skill. Because this skill can make a local service internet-accessible and restart components, ambiguous triggering is more dangerous than for a low-risk informational skill.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The phrase 'or similar' makes activation boundaries undefined, allowing an agent to infer intent too loosely for a risky action. In context, this can result in unintended execution of scripts that expose a service externally, alter configuration, and restart the gateway.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill description does not prominently warn that it will expose a local service publicly, modify OpenClaw configuration, and restart the gateway. Missing this warning undermines informed consent for actions that materially change the security posture of the host and could create remote attack surface.

Missing User Warnings

High
Confidence
97% confidence
Finding
This section publicly exposes the OpenClaw gateway through Tailscale Funnel without a clear, explicit warning that the service will become internet-accessible. In the context of an agent skill, silently changing a local service into a public endpoint materially increases exposure and the chance of unauthorized access or data leakage.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script directly modifies the main OpenClaw configuration and creates a backup copy that may contain authentication settings, without clearly warning the user. This can leave sensitive credentials duplicated on disk and broaden the number of files that must be protected.

Missing User Warnings

High
Confidence
98% confidence
Finding
The script copies the token-bearing credentials file into an output directory immediately, without any explicit warning, confirmation, or safeguard before exporting sensitive material. In a skill intended to simplify public exposure, this is especially dangerous because users may not realize they are creating a portable credential bundle that can be forwarded or leaked.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script reads a local credentials file and prints part of the bearer token plus the service URL to standard output. Even partial token disclosure can leak sensitive information into terminal logs, screenshots, shell history captures, CI logs, or remote support sessions, and it normalizes credential handling in a status command.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script silently sends a bearer token in an outbound request without any explicit warning or confirmation. In the context of a 'status' utility, that is risky because users may not expect credentialed network traffic, and a manipulated or stale URL in the credentials file could cause secret disclosure to an unintended endpoint.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script automatically sends a bearer token from a local credentials file to whatever URL is stored in that file, without any trust validation or explicit warning that the token will be transmitted. In the context of a skill designed to expose a service publicly and share credentials with others, this increases the chance of users testing against an attacker-controlled or mistyped endpoint and leaking valid API credentials.

External Transmission

Medium
Category
Data Exfiltration
Content
echo ""

# Make test request
RESPONSE=$(curl -s -w "\n%{http_code}" "$URL/v1/chat/completions" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"messages":[{"role":"user","content":"Hello! Please respond with a short greeting."}]}')
Confidence
90% confidence
Finding
curl -s -w "\n%{http_code}" "$URL/v1/chat/completions" \ -H "Authorization: Bearer $TOKEN" \ -H "Content-Type: application/json" \ -d

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
- macOS with Homebrew
- Tailscale account (free at tailscale.com)
- sudo access (for Tailscale service)

## Security
Confidence
84% confidence
Finding
sudo

Credential Access

High
Category
Privilege Escalation
Content
- Check: `tailscale funnel status`

**Auth errors?**
- Token is in: `~/.openclaw/ecto-credentials.json`
- Regenerate with: `./scripts/connect.sh --regenerate-token`

**Gateway not responding?**
Confidence
95% confidence
Finding
credentials.json

Credential Access

High
Category
Privilege Escalation
Content
echo ""
    echo "Usage: $0 [path-to-credentials.json]"
    echo ""
    echo "Ask your friend to share their ecto-credentials.json file with you."
    exit 1
fi
Confidence
76% confidence
Finding
credentials.json

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal