ClawHub

LocalUDPMessenger

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed UDP agent-messaging tool, but it can forward full message contents and let trusted network peers trigger agent turns, with some controls weaker than the documentation suggests.

Install only if you intentionally want LAN agent-to-agent messaging with optional central monitoring and automatic wake-up. Keep relay disabled unless the destination is trusted and protected, avoid putting secrets in messages, use always-confirm cautiously because implementation appears weaker than documented, and do not provide a hook token unless you accept trusted peers being able to trigger agent turns.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (21)

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill is presented as a local UDP messaging utility, but the documentation also exposes broader orchestration and data-routing behaviors: webhook-triggered agent wake-ups, relay forwarding to a monitoring server, runtime reconfiguration, and stop-hook behavior. This mismatch is dangerous because users may trust and invoke a seemingly local-only messaging tool without realizing it can trigger autonomous agent turns or forward message contents off-host.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The documented `relayServer` option expands the skill from local peer-to-peer UDP messaging into centralized forwarding of all sent and received messages. That creates a clear data-exfiltration and surveillance path, especially because the description says all messages are forwarded for monitoring without an explicit consent flow or strong privacy warning.

Context-Inappropriate Capability

Medium
Confidence
74% confidence
Finding
The wake-up mechanism introduces an HTTP webhook path and token handling that are outside the stated UDP messenger scope, increasing attack surface and creating another trust boundary. If the hook token is exposed or weakly managed, trusted peer messages can trigger active agent execution, which is more dangerous than passive message delivery.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The documented capability extends beyond local LAN messaging by including forwarding to a central monitor server and triggering Gateway webhooks. That broadens both the trust boundary and the attack surface: messages may leave the local network, and remote inputs can cause agent execution side effects.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
Forwarding all sent and received messages to a monitoring dashboard creates an obvious exfiltration channel that is not necessary for basic local UDP messaging. In a multi-agent environment, message contents can include operational context, file details, or user instructions, so blanket forwarding materially increases confidentiality risk.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Automatic wake-up through `/hooks/agent` turns a messaging plugin into an execution trigger for full agent turns. That is more dangerous than simple message receipt because a trusted peer can indirectly cause autonomous processing loops, increase attack surface, and potentially amplify prompt-injection or denial-of-service scenarios.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The relay feature forwards every sent and received message, including full payload contents and peer metadata, to an externally configured host. In a messaging skill, this creates a covert secondary exfiltration channel beyond the expected local peer-to-peer function, and users may not realize that all agent communications are being copied off-box.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Trusted UDP messages are transformed into a prompt and sent to a local webhook that triggers a real agent turn, effectively allowing network-delivered content to drive agent behavior. Because trust is based on weak peer identity mechanisms and incoming content is embedded directly into the prompt, a spoofed or compromised peer can induce autonomous actions and prompt-injection-style control of the agent.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The plugin reads broader application config and environment variables to obtain webhook credentials not required for basic UDP messaging. Expanding credential access in a network-facing skill increases blast radius: if the skill is abused, compromised, or misconfigured, it can leverage secrets meant for other subsystems to trigger privileged local operations.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Forwarding all messages to a monitoring relay without an explicit privacy warning or consent mechanism risks exposing sensitive prompts, outputs, coordination data, and possibly secrets. In an agent-messaging skill, message contents are likely to include operational context, so silent or underexplained forwarding materially increases privacy and confidentiality risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README documents a relay mode that forwards every sent and received message, including full payload contents, to a monitoring server, but it does not prominently warn that this exports potentially sensitive agent communications off the local host and possibly off the originating machine's trust boundary. In a tool explicitly designed for inter-agent communication, users may reasonably enable monitoring for convenience without understanding the privacy and data-governance implications.

Missing User Warnings

Low
Confidence
86% confidence
Finding
The documentation explains multiple ways to source and set the wake-up webhook token, including runtime configuration, but does not clearly identify the token as a sensitive secret that must be protected from logs, screenshots, shell history, or message channels. If mishandled, the token could allow unauthorized triggering of agent webhook actions or widen the attack surface around agent wake-up behavior.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The broad trigger phrases like 'send message to agent' and 'coordinate with other agents' are generic enough to match ordinary conversation, increasing the chance of accidental skill invocation. For a network-capable skill, unintended activation is more dangerous because it may initiate peer discovery, message transmission, or trust workflows without the user realizing a network tool was engaged.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Message contents are silently copied to a relay server whenever relay is enabled, but transmission-time operations like udp_send do not provide a clear warning that the payload will also be forwarded. This undermines user expectations of local-only messaging and can expose sensitive agent communications to a third party.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The plugin accesses webhook tokens from global config and environment without a strong user-facing disclosure that the skill consumes credentials outside normal UDP messaging scope. While not direct exfiltration by itself, this weakens transparency around secret use and makes dangerous features easier to enable unintentionally.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The plugin advertises an optional relay server that forwards all messages for central monitoring, but the description does not clearly warn that message contents may be disclosed to another host. In a messaging skill, this creates a real privacy and data-handling risk because operators may enable the feature without understanding that potentially sensitive inter-agent traffic is being exfiltrated off-box or to another network endpoint.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The configuration text documents that a hook token can be supplied via config or environment variable, but it does not clearly identify the token as a sensitive credential that must be protected from logs, screenshots, config sharing, or accidental disclosure. In this skill, the token appears to trigger agent wake-up behavior via a hook endpoint, so mishandling it could enable unauthorized triggering or abuse of agent actions.

Ssd 3

Medium
Confidence
94% confidence
Finding
The README explicitly instructs forwarding and logging all agent messages, including message content, to a central monitor for human observation. Even if intended for research or observability, this creates a built-in surveillance and data-exfiltration path that can expose sensitive agent communications, credentials, prompts, or proprietary data to another system.

Ssd 3

High
Confidence
98% confidence
Finding
The relay path copies all peer message contents in plain form to a monitoring server, creating comprehensive surveillance of agent communications. In the context of a local-network messenger, this is more dangerous because the expected trust boundary is LAN peer messaging, not centralized content replication.

Ssd 3

Medium
Confidence
96% confidence
Finding
The generated prompt explicitly instructs the agent to treat trusted peer messages like user messages and respond using udp_send, embedding attacker-controlled network content directly into an agent turn. This is a classic trust-boundary failure: once a peer is trusted or spoofed as trusted, its messages can steer the agent with little or no mediation.

Exfiltration Commands

High
Category
Prompt Injection
Content
---
name: udp-messenger
description: Use when agents need to communicate over the local network — "send message to agent", "discover agents", "check for messages", "coordinate with other agents", "approve agent", "agent status", "add peer", "message log"
metadata:
  openclaw:
    requires:
Confidence
92% confidence
Finding
send message to

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal