ClawHub

API Logger

Security checks across malware telemetry and agentic risk

Overview

This is a real API logging tool, but it persistently captures complete LLM conversations and can export them externally, so users should review it carefully before installing.

Install only if you intentionally want persistent full-fidelity logging of LLM API traffic. Before routing real traffic through it, verify the upstream URL, protect and periodically delete the log directory, consider disabling LaunchAgent persistence when not actively debugging, and use Feishu export only after confirming the destination and reviewing the external helper. Static scan was clean and VirusTotal was pending, so this Review verdict is based on the artifact behavior rather than malware telemetry.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (25)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill declares no permissions, yet the documentation clearly indicates capabilities for file writes, shell execution, network access, and service installation. This mismatch is dangerous because users and policy systems cannot accurately assess or constrain what the skill will do, especially when it installs a proxy and persists it via LaunchAgent.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented behavior goes beyond simple local API logging and visualization by including external Feishu publication, LaunchAgent persistence, and background proxy installation. This broadens the attack and data-exposure surface, and the missing or inconsistent viewer artifact further reduces transparency, making it harder for users to understand the true behavior of the skill.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The README presents the skill as a logging/analysis tool, but the documented installation flow deploys a persistent background proxy via LaunchAgent and changes the runtime path of all LLM traffic. That is a materially broader capability than passive viewing, and the mismatch can prevent users from giving informed consent to system changes and always-on interception.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
Feishu export adds an outbound sharing channel for captured prompts and responses, which extends the skill beyond local logging/visualization into external data transmission. Because the README does not frame this as a sensitive exfiltration path, users may underestimate the privacy and compliance impact of enabling it.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The instructions require modifying OpenClaw configuration and restarting the gateway so that all model traffic traverses the proxy, which is broader than a simple viewer tool. This creates a trust and scope mismatch: a user expecting local log inspection is instead being directed to reconfigure core system behavior and route sensitive conversations through an interceptor.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
A terminal log viewer described as a local analysis tool also offers generation of Feishu documents, which is an outbound data-sharing capability. Because logs may contain full prompts and responses, this creates a realistic risk of exporting sensitive data outside the local environment.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Publishing logs to Feishu is not directly necessary for local logging and visualization and introduces third-party data transfer risk. In this skill's context, the logs are especially sensitive because they are described as containing complete prompts, responses, and metadata, so external collaboration features materially increase exposure risk.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The installer creates and loads a macOS LaunchAgent with RunAtLoad and KeepAlive, causing the proxy to persist across logins and continue intercepting API traffic in the background. For a logging tool this behavior may be functionally related, but making persistence automatic without an explicit opt-in materially increases risk because users may not realize a long-lived local proxy is always active and capturing prompts/responses.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The script silently installs aiohttp with pip3 if missing, modifying the user's Python environment during installation. This is risky because it performs package management side effects without consent, can alter shared environments, and pulls code from package repositories at install time.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The viewer can export complete logged prompts, conversations, and token metadata to an external Feishu document. Because these logs may contain secrets, proprietary prompts, personal data, or model outputs, this creates a clear data-exfiltration path outside the local log-viewing context.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
A local log viewer normally needs only local read/display functionality, but this code adds network-capable publication of full log contents via another script. In the skill context, the logs explicitly include complete prompts and generations, so the extra export capability materially increases the risk of unauthorized disclosure and broadens the trust boundary.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The README advertises full capture of prompts, system prompts, generations, and token usage, but does not prominently warn that this may collect secrets, personal data, credentials, and proprietary content. Logging complete LLM exchanges without a strong privacy notice materially increases the chance of sensitive-data retention and later disclosure.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Documenting Feishu export without warning that logged conversation content may be transmitted to an external platform creates a clear disclosure gap. Since the logged data includes complete prompts and responses, export can turn local retention risk into third-party exposure and possible compliance violations.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill emphasizes logging complete prompts, responses, and conversation contents but does not provide a prominent warning about the sensitivity of this data. This is dangerous because users may unknowingly capture secrets, personal data, API payloads, or proprietary prompts into persistent logs that are later browsed or exported.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The installation steps include writing a macOS LaunchAgent and enabling automatic startup, but the documentation does not prominently warn users about this persistence and system modification. Persistent background services can continue intercepting API traffic beyond the user's immediate awareness, increasing both privacy and operational risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The installer performs persistent system changes and package installation without an upfront warning or interactive confirmation. In the context of a transparent proxy that logs full prompts and generations, this is especially sensitive because users may unknowingly enable ongoing traffic interception and environment modification.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The proxy intentionally records full request and response bodies, which in an LLM API context commonly include sensitive prompts, personal data, proprietary source code, secrets, and model outputs. Because this is a transparent interceptor and the skill description explicitly emphasizes complete prompt/generation logging, the risk is real: anyone with filesystem access or downstream access to the logs can recover highly sensitive conversation contents.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This function persists raw API interaction data to daily JSONL files on disk, creating durable storage of sensitive LLM traffic beyond the original request lifecycle. Even though auth headers are partially masked, the code still stores request bodies, streamed raw responses, and parsed responses, so confidential data exposure can occur through local compromise, backups, log sharing, or unintended retention.

Ssd 3

High
Confidence
99% confidence
Finding
The documentation explicitly promotes capturing and exporting complete prompts, system prompts, and generated responses. In this context, that creates a direct workflow for collecting and redistributing highly sensitive natural-language data, including hidden instructions, proprietary inputs, and personal content.

Ssd 3

High
Confidence
98% confidence
Finding
The README states that after restart, all OpenClaw API calls will be automatically recorded, implying blanket interception of all user conversations and model outputs. This is dangerous because it broadens collection from targeted debugging to continuous surveillance of potentially sensitive interactions.

Ssd 3

High
Confidence
99% confidence
Finding
The log schema stores complete request and response bodies, including system messages, user messages, reconstructed responses, and even raw streaming data. That level of retention dramatically increases the blast radius of any local compromise, accidental sharing, or downstream export because it preserves full conversational context rather than metadata only.

Ssd 3

Medium
Confidence
94% confidence
Finding
The skill is specifically designed to capture comprehensive natural-language API traffic, including full prompts and generations. In the context of LLM usage, this often includes credentials, personal data, internal instructions, or confidential business content, so broad logging significantly increases confidentiality risk.

Ssd 3

Medium
Confidence
94% confidence
Finding
The viewer is described as exposing full conversation contents, system prompts, raw JSON, and user inputs in an easily browsable interface. This increases the likelihood of accidental disclosure to anyone with local access, screenshots, screen sharing, or exported files, and makes sensitive data concentration easier to exploit.

Ssd 3

Medium
Confidence
95% confidence
Finding
The documented schema stores complete request bodies and parsed responses, including system and message contents. Persisting these fields creates a durable record of potentially sensitive conversational data that can be exfiltrated, misused, or retained longer than intended.

Session Persistence

Medium
Category
Rogue Agent
Content
1. 创建 `~/.openclaw/workspace/company/api-proxy/`
2. 复制 `proxy.py` 和 `log_viewer.py`
3. 创建日志目录 `~/.openclaw/workspace/company/api-logs/`
4. 写入 macOS LaunchAgent plist(开机自启动)
5. 启动代理服务

### 配置(安装后手动完成)
Confidence
89% confidence
Finding
plist

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal