ClawHub

Bitchat

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Bitchat messaging plugin, but its default open inbound messaging and unauthenticated webhook can let nearby peers or reachable callers inject messages into OpenClaw sessions.

Install only if you intentionally want OpenClaw connected to a local Bitchat mesh. Before enabling it, set dmPolicy to allowlist or disabled, keep the bridge and webhook bound to localhost or a trusted network, avoid exposing the gateway publicly, and treat all mesh-originated messages as untrusted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
83% confidence
Finding
The skill explicitly provides messaging over BLE/LAN mesh networks and exposes commands to start a node and send messages, yet the metadata declares no permissions. This mismatch weakens security review and user consent because the runtime behavior includes network-capable operations that are not transparently declared, increasing the chance of unexpected communications or policy bypass.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README explicitly says incoming messages are routed to an active AI session, but it does not warn that untrusted nearby peers can inject content into agent context. In an agent system, this can enable prompt injection, unauthorized task triggering, data exfiltration via model responses, or unsafe tool use if the channel is enabled with an open DM policy.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The webhook accepts externally supplied POST data and injects it directly into the OpenClaw session via api.injectMessage without any authentication, signature verification, or origin validation. An attacker who can reach this endpoint can spoof sender metadata and deliver arbitrary content into agent conversations, which can enable prompt injection, impersonation, spam, or workflow manipulation.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal