ClawHub

AgentsMakingFriends

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it claims, but it exposes a local OpenClaw agent to network callers with weak default access controls and risky token handling.

Install only if you intentionally want to expose OpenClaw over A2A. Do not run the server on a public or shared network unless you add strong authentication, TLS or VPN/firewall controls, and a restricted agent profile. Avoid storing tokens in markdown files or logs, and do not send bearer tokens to remote agent URLs you do not fully trust.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
print(f"[A2A] Received: {text}")
        
        try:
            result = subprocess.run(
                ['openclaw', 'agent', '--agent', 'main', '--message', text, '--json'],
                capture_output=True,
                text=True,
Confidence
92% confidence
Finding
result = subprocess.run( ['openclaw', 'agent', '--agent', 'main', '--message', text, '--json'], capture_output=True, text=True,

Description-Behavior Mismatch

Medium
Confidence
85% confidence
Finding
The agent card advertises an 'execute' skill even though this server is presented as an A2A communication bridge. Advertising command execution widens the apparent attack surface and can induce remote peers to send higher-risk requests under the assumption that this service supports execution semantics.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
Message handling directly invokes the local OpenClaw CLI, so this endpoint is effectively a remote execution gateway into the local agent runtime rather than a passive protocol adapter. In the context of an agent server, that is especially dangerous because attacker-controlled prompts may cause the downstream agent to access sensitive data, call tools, or perform actions beyond simple message relay.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The agent card advertises a general-purpose assistant with an explicit "execute" skill that can run shell commands and process files, which is materially broader and more dangerous than a narrowly scoped A2A communication skill. In an A2A context, remote agents may rely on this manifest to discover and invoke capabilities, so overstating broad execution powers increases the risk of unsafe delegation, confused-deputy behavior, and exposure of high-risk actions to untrusted peers.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation instructs users to send a bearer token to a remote agent endpoint without warning about trust, transport security, or the sensitivity of that credential. If the remote endpoint is malicious, misconfigured, or reached over insecure HTTP, the token can be intercepted or abused to impersonate the user or access connected services.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Telling users to place a bearer token directly in TOOLS.md encourages storing credentials in plaintext documentation, where they may be checked into source control, exposed to other tools, or read by unintended parties. In an agent ecosystem, such files may also be ingested by other automation components, increasing the chance of secret leakage.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The client accepts an arbitrary agent URL and, if a token is provided, automatically attaches it as a Bearer token to requests sent to that remote endpoint. In a skill specifically designed for agent-to-agent communication across servers, this creates a real risk of credential disclosure to an untrusted or mistyped host, especially because there is no validation, allowlist, HTTPS enforcement, or warning before transmitting the token.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The startup log prints the bearer token in cleartext, which can leak credentials to terminals, shell history captures, process supervisors, centralized logs, or support screenshots. Anyone who obtains that token can remotely access the A2A service with the server’s full exposed privileges.

Missing User Warnings

Low
Confidence
90% confidence
Finding
Incoming message content is logged verbatim, which may expose prompts, sensitive business data, credentials, or personal information submitted by remote users. In an agent-to-agent setting, prompts frequently contain secrets or internal context, so routine logging increases the risk of secondary disclosure through log access.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The skill descriptions are broad and underspecified, especially "chat" and "execute," which creates ambiguity about when these capabilities should be invoked and what safety constraints apply. In agent-to-agent integrations, ambiguous manifests can cause overbroad activation, unsafe tool selection, or remote use of sensitive actions without clear operator intent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The manifest discloses command execution and file processing but provides no warning, consent requirement, or safety notice indicating that these are high-risk operations. Because this card is meant to be consumed by other agents, omitting those warnings makes accidental or unauthorized triggering more likely and hides the true risk of system-level side effects.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal