Back to skill

Security audit

Reverse proxy from internet to open claw

Security checks across malware telemetry and agentic risk

Overview

This skill appears intended to expose OpenClaw remotely, but it also packages live bearer credentials for sharing and makes high-impact network and system changes without enough scoping or warnings.

Install only if you intentionally want your OpenClaw API reachable from the public internet and you understand that the generated token grants live remote access. Avoid using the friend-sharing package with raw credentials unless you can rotate/revoke the token immediately afterward, and review every sudo/install/config-change step before running the scripts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (24)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill advertises and invokes shell scripts but does not declare permissions, which prevents users or the platform from understanding that it can execute local commands. In this context, the omitted declaration is security-relevant because the skill installs software, changes configuration, and exposes a local service externally.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The declared purpose understates the actual behavior: beyond connectivity, the skill installs dependencies, uses privileged operations, modifies OpenClaw auth/config, stores credentials, restarts processes, and facilitates sharing external access. That mismatch is dangerous because users may consent to 'connectivity' without realizing they are authorizing persistent system changes and public exposure of an API.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The README expands the skill from simple connection setup into a workflow for distributing live access to third parties, including packaging credentials and test tooling for others. That broader sharing capability increases exposure and access propagation beyond the stated purpose, making accidental over-sharing and unauthorized reuse more likely.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The README explicitly promotes creating a shareable package for friends containing credentials and connection instructions. Bundling and distributing authentication material normalizes insecure secret sharing and materially increases the chance of credential leakage, reuse, and uncontrolled external access.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
This script is explicitly designed to copy a reusable credential file and package it with usage instructions for a third party, enabling delegated API access outside the original host. In the context of a skill whose stated purpose is to expose OpenClaw publicly, this materially increases risk by turning one-time connectivity setup into portable credential distribution that can be reused, copied again, or abused without further approval.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The code exports credentials and instructions so another person can directly call the API, which is a capability expansion beyond merely enabling external access. Because the delegated party receives a bearer token and endpoint details, they can use the service independently and potentially continue access until manual revocation, making compromise or misuse much more likely.

Missing User Warnings

High
Confidence
97% confidence
Finding
The README tells users to share a credentials file that contains a live bearer token and public URL, but it does not clearly warn that anyone with the file can access the exposed OpenClaw instance. This encourages unsafe secret handling and can directly lead to unauthorized API use, data exposure, and service abuse.

Missing User Warnings

High
Confidence
95% confidence
Finding
The skill’s primary function is to expose OpenClaw publicly via Tailscale Funnel, yet the README lacks an upfront warning about the privacy, abuse, and system-integrity risks of internet exposure. Users may enable public access without understanding that they are making a local service reachable by external parties.

Vague Triggers

Medium
Confidence
88% confidence
Finding
Broad trigger phrases like 'enable external access' can cause accidental invocation of a skill that makes a local service publicly reachable. In this skill's context, accidental activation is more dangerous because the action changes network exposure and authentication state, not just a local preference.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation lacks a prominent warning that the skill will make the service publicly reachable, modify local configuration, store tokens, and restart components. Missing disclosure increases the chance of uninformed consent and unsafe operation, especially for users who may not appreciate the consequences of exposing an API to the internet.

Missing User Warnings

High
Confidence
97% confidence
Finding
The script intentionally enables Tailscale Funnel and prints a public URL, which makes the OpenClaw API internet-accessible. In the context of a skill whose purpose is to 'expose openclaw publicly,' the risk is real because the script does not require an explicit confirmation after clearly warning the user that this will publish the service externally and may expose sensitive model/API access if misconfigured.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script forcefully kills gateway processes using pkill -9 with broad process-name matching and no confirmation. This can terminate unintended processes, cause data loss, interrupt active sessions, and makes the operation destructive in a way the user may not expect.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script duplicates secrets into a shareable directory with no explicit warning, confirmation prompt, or summary of the security consequences before doing so. That makes accidental disclosure more likely, especially since the output is presented as ready to zip and send, normalizing unsafe secret handling.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script performs a live network request to a remote Funnel endpoint and includes the bearer token in the Authorization header during what is presented as a status check. This leaks a sensitive credential to an external service without explicit user confirmation, and if FUNNEL_URL is misconfigured or attacker-controlled, the token could be exposed to an unintended party.

External Transmission

Medium
Category
Data Exfiltration
Content
On success, the script outputs:
- Public URL: `https://<machine>.tail<xxxxx>.ts.net/v1/chat/completions`
- Auth token for API access
- Example curl command

## Requirements
Confidence
90% confidence
Finding
curl command ## Requirements - macOS with Homebrew - Tailscale account (free at tailscale.com) - sudo access (for Tailscale service) ## Security - Generates cryptographically random 32-byte auth t

External Transmission

Medium
Category
Data Exfiltration
Content
# Test endpoint if everything looks good
if [ -n "$FUNNEL_URL" ] && [ -n "$TOKEN" ]; then
    echo -e "${BLUE}Endpoint Test:${NC}"
    RESPONSE=$(curl -s -o /dev/null -w "%{http_code}" \
        -H "Authorization: Bearer $TOKEN" \
        -H "Content-Type: application/json" \
        "$FUNNEL_URL/v1/chat/completions" \
Confidence
95% confidence
Finding
curl -s -o /dev/null -w "%{http_code}" \ -H "Authorization: Bearer $TOKEN" \ -H "Content-Type: application/json" \ "$FUNNEL_URL/v1/chat/completions" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
echo ""

# Make test request
RESPONSE=$(curl -s -w "\n%{http_code}" "$URL/v1/chat/completions" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"messages":[{"role":"user","content":"Hello! Please respond with a short greeting."}]}')
Confidence
90% confidence
Finding
curl -s -w "\n%{http_code}" "$URL/v1/chat/completions" \ -H "Authorization: Bearer $TOKEN" \ -H "Content-Type: application/json" \ -d

Credential Access

High
Category
Privilege Escalation
Content
**Manual way:**

1. Run the setup script (if you haven't already)
2. Share `~/.openclaw/ecto-credentials.json` with them
3. Share `scripts/test-connection.sh` for easy testing

**For your friend (test the connection):**
Confidence
96% confidence
Finding
credentials.json

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
- macOS with Homebrew
- Tailscale account (free at tailscale.com)
- sudo access (for Tailscale service)

## Security
Confidence
91% confidence
Finding
sudo

Credential Access

High
Category
Privilege Escalation
Content
- Check: `tailscale funnel status`

**Auth errors?**
- Token is in: `~/.openclaw/ecto-credentials.json`
- Regenerate with: `./scripts/connect.sh --regenerate-token`

**Gateway not responding?**
Confidence
95% confidence
Finding
credentials.json

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
# If still not running, start manually
    if ! sudo tailscale status &> /dev/null; then
        print_warning "Starting tailscaled manually..."
        sudo /opt/homebrew/bin/tailscaled --state=/var/lib/tailscale/tailscaled.state &
        sleep 3
    fi
Confidence
78% confidence
Finding
sudo

Credential Access

High
Category
Privilege Escalation
Content
#######################################

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
CREDENTIALS_FILE="$HOME/.openclaw/ecto-credentials.json"
OPENCLAW_CONFIG="$HOME/.openclaw/openclaw.json"
GATEWAY_LOG="/tmp/openclaw-gateway.log"
GATEWAY_PORT=18789
Confidence
93% confidence
Finding
credentials.json

Credential Access

High
Category
Privilege Escalation
Content
mkdir -p "$OUTPUT_DIR"

# Copy files
cp "$CREDENTIALS_FILE" "$OUTPUT_DIR/ecto-credentials.json"
cp "$SCRIPT_DIR/test-connection.sh" "$OUTPUT_DIR/test-connection.sh"
chmod +x "$OUTPUT_DIR/test-connection.sh"
Confidence
99% confidence
Finding
credentials.json

Credential Access

High
Category
Privilege Escalation
Content
## Using the API

The `ecto-credentials.json` file contains:
- `url`: The API endpoint
- `token`: Your authentication token
Confidence
95% confidence
Finding
credentials.json

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.