OpenClaw Output Metrics Footer

Security checks across malware telemetry and agentic risk

Overview

This skill appears to provide the advertised metrics footer, but it also reads a local Codex OAuth token and uses it for outbound quota checks while broadly modifying channel messages by default.

Install only if you trust the publisher and want channel recipients to see operational metadata such as model, token usage, context pressure, subagent totals, and quota state. Before enabling, restrict enabledChannels and disabledConversations to known internal channels, and understand that quota display reads a local Codex OAuth token from OpenClaw auth profiles and uses it to query chatgpt.com.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 87% confidence
Finding: The skill documentation instructs installation of a plugin that performs outbound network access, but the skill does not declare that capability or clearly warn about it. Undeclared network behavior reduces user visibility and informed consent, especially because the footer feature appears primarily presentational while the implementation reaches external services for quota data.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 97% confidence
Finding: This is a real security concern because the described behavior goes beyond rendering a footer: it reads local authentication profile data, extracts OAuth tokens, and uses them in outbound requests. Accessing stored tokens from local files materially expands the trust boundary and can expose sensitive credentials or normalize unsafe token-handling patterns if the extension is compromised or modified.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The plugin does more than display local footer metrics: it reads a locally stored OAuth token from auth-profiles.json and uses it to call an external ChatGPT backend API. That behavior expands the trust boundary beyond the stated purpose, creates undisclosed credential handling, and could expose sensitive account metadata or normalize covert token use inside a seemingly harmless UI plugin.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The code extracts an access token from stored OAuth profiles and sends it as a Bearer token in a network request to https://chatgpt.com/backend-api/wham/usage. Using stored credentials in a plugin whose advertised role is only formatting message footers is a serious privilege mismatch and creates a pathway for unauthorized credential use or future abuse if the endpoint or code changes.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The README instructs users to enable `allowConversationAccess` but does not clearly disclose that this grants the plugin access to message/conversation contents across channels. Because this skill processes outbound messages and aggregates usage telemetry, the missing warning can cause users to grant broad data access without informed consent, increasing privacy and data-exposure risk.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The skill enables footer display across all supported providers by default when enabledChannels is empty, but it does not clearly warn users that runtime metrics and model usage metadata may be exposed broadly across channels. That can leak operational information to unintended audiences and increase recon value in shared or semi-public workspaces.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The plugin silently reads a local access token and performs an external authenticated request without any user-facing warning, consent flow, or visible disclosure in the code path. Even if the immediate request is only for quota data, covert credential use in a low-risk appearing skill undermines user expectations and increases the chance of unnoticed sensitive-data access.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The design explicitly instructs the extension to read a local auth profile, extract a Codex OAuth access token, and use it to query a remote usage endpoint, but the documentation does not require explicit user consent, scope minimization, or clear disclosure that local credentials will be accessed for account-linked data retrieval. Even if the endpoint is legitimate and the token is not printed, this behavior expands the trust boundary around sensitive local authentication material and can surprise users or create opportunities for misuse if the extension is modified, logged incorrectly, or installed in shared environments.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal