ClawHub

OpenClaw Bot Dashboard

Security checks across malware telemetry and agentic risk

Overview

This looks like a real dashboard launcher, but it can automatically stop local services, replace files, install and run remote code, and expose OpenClaw dashboard data without enough user control.

Review carefully before installing. Use it only if you trust the remote xmanrui/OpenClaw-bot-review repository and are comfortable running its latest npm dependencies. Before invoking it, check what is already on port 3000, back up any local OpenClaw-bot-review edits, avoid sharing the LAN URL unless you understand who can reach it, and stop the background server when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (10)

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The skill instructs the agent to forcibly terminate whatever process is listening on port 3000 using kill -9 / Stop-Process -Force, without verifying that it is actually the intended dashboard. That can disrupt unrelated local services, cause data loss for active development servers, and exceeds the minimally necessary action for 'opening' a dashboard.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill automatically fetches updated code from the network and runs npm install without user approval, which executes untrusted third-party package lifecycle scripts and changes the local system state. This creates a software supply-chain risk and makes 'launch dashboard' a hidden code execution and auto-update workflow.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill is presented as launching/managing a dashboard, but it may delete the existing project directory and replace it with freshly downloaded content. That behavior is materially more destructive than the stated purpose and could remove local edits, cached state, or user-added files inside the project directory.

Context-Inappropriate Capability

Low
Confidence
86% confidence
Finding
The skill mandates detection and disclosure of the host's LAN IPv4 address even though the core task is to start a local dashboard. This unnecessarily performs host-network enumeration and exposes internal addressing information that may not be needed, especially if the user only wants localhost access.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger phrase "start dashboard" is generic enough to match routine user requests that may not be intended to launch this specific skill. In this skill's context, accidental activation is more dangerous because execution would download or update code, install dependencies, stop an existing service on port 3000, and launch a background server.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The README describes behavior that can stop whatever is using port 3000 and, in some update paths, delete the existing installation directory, but it does not present these as prominent user-facing warnings requiring consent. This is dangerous because a user may invoke the skill expecting a harmless UI launch, while the skill can disrupt unrelated local services or remove local files as part of its automated update logic.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger phrase 'start dashboard' is generic and likely to collide with unrelated user requests, increasing the chance this skill activates unexpectedly. Because the skill performs downloads, installations, process termination, and server startup, accidental invocation materially raises the risk.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill undertakes destructive and system-changing actions—stopping processes, downloading code, deleting directories, installing dependencies, and running a background server—without adequate upfront warning or consent. This violates user expectations for a simple 'open dashboard' action and amplifies the harm from misfires or compromised upstream code.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger "start dashboard" is generic enough to collide with ordinary user language or unrelated workflows, which can cause the skill to launch unexpectedly. Because this skill starts a web UI and may install dependencies or initiate other setup actions, accidental activation expands the attack surface and can lead to unintended code execution paths.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger "open bot dashboard" is insufficiently specific and may overlap with generic requests about other bot tooling or dashboards. In this context, unintended invocation is more concerning because the skill is described as automatically detecting the OS, checking for updates, installing dependencies, and launching a development server, all of which are side-effectful actions.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal