ClawHub

OpenClaw Admin Main

Security checks across malware telemetry and agentic risk

Overview

This is a real OpenClaw admin dashboard, but it exposes very powerful host and gateway controls with weak default scoping and several under-protected endpoints.

Install only in a trusted, local or tightly firewalled admin environment. Configure strong AUTH_USERNAME and AUTH_PASSWORD before exposing it, do not put it on the public internet, review the unauthenticated npm update and media endpoints, and assume anyone with dashboard access can control the host, read or modify OpenClaw state, and access secrets/backups.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (14)

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The gateway requests very broad privileges, including operator.write and operator.admin, by default without any visible feature gating or demonstrated need in this file. If the remote service honors these scopes, compromise of the client, token, or connection would grant unnecessary administrative control, violating least privilege and increasing blast radius.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The /api/media endpoint is explicitly unauthenticated and serves arbitrary files from media directories derived from environment variables and user home paths. Its traversal protection is weak and the authorization model is inappropriate for local file exposure, so anyone who can reach the server may retrieve screenshots or other sensitive local artifacts.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The /api/rpc endpoint proxies arbitrary method names and parameters directly to the backend gateway, effectively exposing the full backend RPC surface to any authenticated user. If the gateway supports privileged operations, this becomes a capability-escalation channel and bypasses intended server-side access control and input validation.

Context-Inappropriate Capability

Critical
Confidence
99% confidence
Finding
The terminal endpoints create PTY-backed interactive shells on the host and allow arbitrary input to be written to them. This is remote shell access by design, and if authentication is weak, disabled, or compromised, an attacker gains command execution with the privileges of the server process.

Context-Inappropriate Capability

Critical
Confidence
99% confidence
Finding
The desktop APIs create virtual displays, capture frames, and inject mouse/keyboard input, giving remote interactive control over the host desktop environment. This enables surveillance and full UI-driven actions, which can be abused for data theft, command execution, or persistence if access is obtained.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The npm update endpoint executes a package-management command on the host and interpolates a user-provided version into a shell command. Even if the version is expected to be a package version, this pattern risks command injection and also permits arbitrary system modification via global package installation.

Context-Inappropriate Capability

High
Confidence
93% confidence
Finding
The backup and restore logic archives and restores sensitive application state including .env secrets, databases, and OpenClaw home data. Restore operations overwrite live configuration and data from uploaded archives, making this a high-risk privileged capability that can expose secrets or facilitate malicious reconfiguration if abused.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill advertises powerful administrative capabilities such as node monitoring, agent reconfiguration, log access, ACL management, and security policy control, but it does not warn users that these are highly privileged actions that could expose sensitive data or alter system security. In an admin-interface skill, omission of clear warnings and trust-boundary guidance increases the chance of unsafe deployment, overbroad access, or accidental exposure of critical infrastructure controls.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The config read endpoint returns parsed .env contents, including authentication and gateway secrets, to any authenticated caller. While not unauthenticated, exposing raw secrets through the UI/API materially increases the blast radius of account compromise and violates least privilege.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code generates a long-lived Ed25519 private key and persists it in localStorage, which is readable by any script executing in the same origin. If the application ever suffers XSS, compromised third-party script inclusion, or malicious browser extension access, the key can be exfiltrated and used to impersonate the device indefinitely. The skill context makes this more dangerous because this key is explicitly used for signing device payloads, so theft directly enables forged signatures rather than only passive disclosure.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The EventSource connection places the auth token in the URL query string (`?token=...`). Query-string tokens are prone to exposure through browser history, reverse-proxy and web server access logs, monitoring tools, crash reports, and accidental leakage via copied URLs; unlike an Authorization header, they are routinely recorded by infrastructure. In this client context, the issue is more dangerous because SSE connections are long-lived and the code logs the full URL, which can further expose the token in client-side logs.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The store persists a bearer authentication token in localStorage, which is readable by any JavaScript executing in the page context. If the application ever has an XSS flaw or loads a compromised third-party script, the token can be stolen and replayed to impersonate the user until expiry or revocation. In this frontend auth context, that makes the issue materially more dangerous because the token is directly used for Authorization headers on protected API calls.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The code appends the bearer token to the SSE URL query string before creating EventSource. Tokens in URLs are prone to leakage through browser history, logs, reverse proxies, monitoring systems, Referer-like propagation, and diagnostic tooling, making credential compromise more likely than if the token were kept in an Authorization header or secure cookie.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The code appends the authentication token to the EventSource URL query string before creating the SSE connection. Tokens in URLs can be exposed through browser history, logs, reverse proxies, monitoring systems, referrer leakage, and server access logs, making credential disclosure more likely than when sent in headers or secure cookies.

VirusTotal

54/54 vendors flagged this skill as clean.

View on VirusTotal