ClawHub

LocalUDPMessenger

Security checks across malware telemetry and agentic risk

Overview

This is a real local agent-messaging skill, but it gives trusted network peers and optional relay/wake-up settings enough influence over agent behavior and message exposure that users should review it carefully before installing.

Install only if you intentionally want agents to communicate over your LAN. Keep relayServer and hookToken disabled unless you control the relay endpoint and accept that message contents may be copied or used to trigger agent turns. Use only highly trusted peers, review udp_log regularly, revoke stale peers, and do not rely on always-confirm as a safety boundary in this version.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (21)

Lp3

Medium
Category
MCP Least Privilege
Confidence
81% confidence
Finding
The skill documentation indicates access to hook tokens, runtime configuration, and environment-related behavior, but the manifest does not clearly declare corresponding permissions or data access expectations. This creates a transparency and review gap: users may enable a network-capable skill without understanding that it can read sensitive configuration needed for wake-up and relay behavior.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The documented purpose presents the skill as a local LAN messenger, but the behavior expands into message forwarding to a relay server, reading application config and hook tokens, local webhook triggering, persistent trust storage, and stop-hook instruction injection. That mismatch is dangerous because users may approve the skill for simple peer messaging while unknowingly enabling monitoring, persistence, and automation pathways that broaden attack surface and data exposure.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The documentation explicitly allows forwarding all sent and received agent messages to a central relay server, which expands the trust boundary beyond local LAN peer messaging. Even if intended for monitoring, this creates a data exfiltration path for potentially sensitive inter-agent content and weakens the plugin's stated local-only security model.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The README states that all traffic is local UDP and nothing leaves the network, but other documented features contradict that claim: the relay server forwards message contents to a central monitor, and the wake-up webhook posts data to the local Gateway over HTTP. This is a security-significant documentation flaw because operators may enable the plugin under false assumptions about network boundaries and data exposure.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The security section says peers are never auto-approved and require explicit trust, yet the documented udp_add_peer tool allows manually adding and trusting a peer outside the normal approval flow. This inconsistency can mislead users about how trust is established and may cause them to overestimate protections against unauthorized peers.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The skill can forward every sent and received message to a configurable relay server, which extends a local UDP messaging tool into a network exfiltration channel. Because message contents are transmitted off the local peer path and there is no explicit per-message user consent, sensitive agent-to-agent data can be disclosed to an external system.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Trusted incoming UDP messages can automatically trigger a local HTTP webhook that causes autonomous agent turns, effectively converting network messages into prompt injection input with execution potential. This is especially dangerous because the received content is embedded into an agent prompt and acted on without a human review step, allowing a trusted peer or spoofed trusted sender to steer agent behavior.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill reads global config and environment variables to obtain webhook credentials unrelated to basic UDP transport, increasing privilege scope beyond its stated purpose. This creates unnecessary access to sensitive secrets and enables the autonomous webhook behavior without a narrowly scoped permission boundary.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The manifest adds an optional relay server that forwards all agent messages to a central host, which expands the trust boundary from local peer-to-peer UDP messaging to centralized collection. Even if disabled by default, exposing this capability in a messaging skill creates a clear data exfiltration and surveillance path if configured, misconfigured, or enabled without strong user understanding and controls.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The webhook token option allows incoming trusted UDP messages to trigger a full agent turn via /hooks/agent, bridging unauthenticated or weakly authenticated local network traffic into a more powerful execution path. This materially exceeds simple message delivery and can let network-originated input activate agent behavior, increasing the risk of prompt injection, unauthorized actions, or remote triggering if trust decisions are bypassed or too permissive.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Forwarding all messages to a monitoring relay without a strong, explicit privacy warning can cause users or operators to unknowingly transmit sensitive prompts, responses, and operational details off-device. In an agent-messaging skill, those messages may include internal coordination, secrets, or user-derived data, so silent broad forwarding materially increases privacy and confidentiality risk.

Natural-Language Policy Violations

Medium
Confidence
92% confidence
Finding
The instruction to respond to trusted peers 'as if a user is talking to you' blurs the distinction between authenticated human input and network-originated agent messages. That can let a trusted or spoofed peer influence the agent's behavior, trigger sensitive actions, or bypass normal user-consent expectations, especially when combined with automatic wake-up and auto-response behavior.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README describes forwarding every sent and received message to a monitoring server, including payload contents and peer metadata, but does not give a strong privacy/security warning. In an agent-messaging skill, this is especially sensitive because relayed content may include prompts, secrets, project data, or internal coordination messages that users may not expect to be duplicated elsewhere.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README lists multiple places where the webhook token may be configured and even shows setting it at runtime, but it does not clearly emphasize that this token is a secret credential. In this skill context, exposure of the token could let an attacker trigger agent wake-up hooks or abuse the local Gateway integration, increasing the risk of unauthorized agent actions or message-driven automation.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The trigger phrases are broad enough to match ordinary collaboration requests, which increases the chance the skill is invoked in contexts where network messaging was not intended. Because this skill can send messages, discover peers, and potentially forward content, overbroad activation raises the risk of accidental data disclosure or unreviewed network interaction.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation describes LAN discovery, relay forwarding, and automatic wake-up, but does not present these with a prominent privacy and security warning. Users may not realize that peer discovery exposes presence on the network, relay mode can duplicate message contents to another host, and wake-up can cause autonomous processing of incoming trusted-peer traffic.

Missing User Warnings

High
Confidence
98% confidence
Finding
Relay forwarding copies full message contents to a monitoring server without meaningful user-facing warning or confirmation at the point of use. In a skill marketed as local network agent messaging, silently duplicating communications to another host is a serious privacy and data handling violation.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill loads hook tokens from global configuration and environment without explicit user disclosure, which obscures that it is consuming sensitive credentials and enabling local webhook-triggered execution. Hidden secret use is risky because users may believe the skill only performs UDP messaging while it actually gains additional capabilities from ambient credentials.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The relay/monitor setting is described as a simple optional address and states that all messages are forwarded, but it does not present strong activation constraints, security requirements, or exclusion guidance. That kind of broad, underspecified configuration makes accidental enablement and insecure deployment more likely, especially in a skill marketed for local agent coordination.

Natural-Language Policy Violations

Medium
Confidence
80% confidence
Finding
The manifest text advertises central monitoring of all messages without explicit opt-in language or privacy-focused framing, which normalizes comprehensive message collection in a skill described as local network communication. In context, this increases the chance that operators enable surveillance-like behavior without informed consent from users or peer agents.

Exfiltration Commands

High
Category
Prompt Injection
Content
---
name: udp-messenger
description: Use when agents need to communicate over the local network — "send message to agent", "discover agents", "check for messages", "coordinate with other agents", "approve agent", "agent status", "add peer", "message log"
metadata:
  openclaw:
    requires:
Confidence
84% confidence
Finding
send message to

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal