Security audit

@vama/openclaw

Security checks across malware telemetry and agentic risk

Overview

The package appears to be a bot integration, but its attachment handling can upload local files and fetch remote URLs without clearly bounded safeguards.

Install only if you intentionally need this BotHub/OpenClaw bot bridge. Protect and rotate its bot credentials, run it with least privilege, restrict file uploads to approved directories, and avoid exposing webhook attachment handling to untrusted sources unless URL allowlists and cleanup controls are in place.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (4)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The README directs users to store long-lived secrets (`botToken` and `webhookSecret`) in a plaintext local config file but does not warn about filesystem permissions, secret management, or avoiding accidental commits/backups. While this is common in setup docs, it increases the chance of credential exposure if the file is world-readable, synced insecurely, or committed to source control.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The sendFile path reads an arbitrary local file from params.path and uploads its contents to a remote BotHub endpoint with no validation, allowlist, or consent mechanism in this code path. In an agent setting, if an upstream prompt, tool, or untrusted input can influence params.path, this enables unintended exfiltration of local files such as secrets, configs, or user data.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: On attachment upload failure, the code sends `[attachment unavailable: ${localPath}]` back to the remote user. This discloses server-side filesystem paths, which can reveal usernames, directory layouts, temp/workspace structure, and other environmental details useful for follow-on attacks or targeted exploitation.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The handler fetches arbitrary attachment URLs from inbound events and saves the response to disk, which creates an SSRF and untrusted-file ingestion surface if the attachment URL source is not strictly trusted and constrained. Even with a size cap, this can be abused to make the server reach internal services, consume resources, or persist attacker-controlled content locally.

VirusTotal

61/61 vendors flagged this plugin as clean.

View on VirusTotal