ClawHub
Back to skill

Security audit

Clawpulse Bridge

Security checks across malware telemetry and agentic risk

Overview

The skill mostly does what it claims, but its monitor exposes an unauthenticated internal status endpoint on all network interfaces by default.

Review before installing. If you use it, bind the monitor to localhost or a Tailscale/firewalled interface, patch or disable /internal or require the same bearer token for it, and keep terminal output plus QR images private because they contain access tokens.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill instructs users to run shell scripts, access environment variables, read files, and expose a network service, but it does not declare permissions or clearly scope those capabilities. This reduces transparency and informed consent, making it easier for a user or platform to underestimate the operational and security impact of the skill.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The script comments describe safer, non-remote defaults, but the actual default bind host is 0.0.0.0, which exposes the service on all interfaces by default. In a setup script for a token-protected status bridge, misleading operators about exposure materially increases the chance they deploy an internet- or LAN-reachable service unintentionally.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The script prints the bearer token to stdout and embeds it in a setup URL and QR code, which can leak through terminal scrollback, shell logging, screenshots, screen sharing, process capture, or saved QR artifacts. Because that token is the sole authentication factor for the status endpoint, disclosure enables unauthorized status access from any allowed network location.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The script binds the monitor to 0.0.0.0 by default, exposing a token-protected health/status service on all network interfaces rather than limiting it to localhost or a Tailscale-only address. In the context of a setup script explicitly intended for remote mobile access and token-based monitoring, this broad exposure materially increases attack surface and makes token leakage or brute-force attempts much more dangerous.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The dry-run output prints the live monitor token and generates a QR code embedding the token, which can be captured in terminal logs, screenshots, shell history workflows, screen sharing, or image files left on disk. Because the same token authenticates access to the monitor endpoint, disclosure directly enables unauthorized status access by anyone who obtains it.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documented default bind of 0.0.0.0 exposes the status bridge on all interfaces, which can make it reachable from LAN or Tailscale without the user explicitly opting in. Even with token protection, increasing network exposure expands the attack surface and raises the risk of unauthorized probing, token theft opportunities, or metadata leakage.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The guide tells users that setup prints a QR code and bearer token for app import, but it does not clearly state that these are sensitive credentials that grant access to the status endpoint. Displaying or sharing them carelessly can enable unauthorized access, especially in shared terminals, logs, screenshots, or screen recordings.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The /health and /status endpoints return assistant name, work status, token usage, thought text, and timing metadata, and the server binds to 0.0.0.0 by default. Although APP_TOKEN protects these endpoints when configured, the code exposes operationally sensitive state over the network and also leaves /internal completely unauthenticated, increasing the chance of unintended disclosure.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The monitor sends a bearer token to the bridge and defaults to an HTTP URL, which can expose credentials and polled data if traffic leaves the host or traverses an untrusted network. In this skill's context, the bridge is described as token-protected and network-accessible, so using cleartext transport is more dangerous than a purely local-only design.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The script displays sensitive token material directly to stdout during setup, with no masking or warning. In operational environments this is risky because terminals may be recorded, copied into logs, or visible to others, and the token appears sufficient to authenticate to the monitor service.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.