ClawHub

Pixel Office

Security checks across malware telemetry and agentic risk

Overview

This skill is advertised as a pixel-office visualizer but actually installs, updates, and runs a broader dashboard with host-level process and file changes.

Install only if you intentionally want a full OpenClaw dashboard launcher, not just a pixel-art office view. Review the GitHub project and npm dependencies first, avoid using it on machines where port 3000 may host unrelated work, and be aware it can read local OpenClaw configuration data, update downloaded code, run a background server, and expose a LAN URL.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The README documents a different skill than the manifest declares: instead of a pixel-office visualization, it describes a dashboard installer/launcher that clones code, installs packages, updates code, and starts a server. This mismatch is dangerous because users and reviewers may grant permissions or invoke the skill under false expectations, enabling supply-chain and execution behavior unrelated to the advertised purpose.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
A skill presented as a pixel-office visualization should not need to clone external repositories, run npm install, pull updates, and launch a background development server. These capabilities materially expand the attack surface by introducing arbitrary third-party code execution, persistent background processes, and network exposure that are unjustified by the declared skill context.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The README’s stated intent contradicts the manifest by positioning the skill as an OpenClaw Bot Dashboard launcher rather than a pixel-office visualization. Intent mismatch undermines trust and reviewability, and in this context it makes the more invasive behaviors appear deceptively related to a harmless UI feature.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The manifest and headline present this as a simple pixel-office visualization skill, but the body actually performs host-level deployment actions: cloning code, installing packages, updating software, starting services, and reading local config. This mismatch is security-relevant because users and calling systems may grant the skill more trust than they would if its operational behavior were disclosed clearly.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill's stated purpose is displaying a pixel-art UI, yet it includes remote code acquisition and package installation on the host. Downloading and installing unpinned third-party code materially increases supply-chain risk and exceeds what a user would reasonably expect from a UI-only skill.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The instructions force-kill any process bound to port 3000 using kill -9 or Stop-Process -Force, without verifying that the process belongs to this skill. That can terminate unrelated applications, cause data loss, and be abused as a destructive denial-of-service action on the host.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill auto-pulls or re-downloads the latest code and reinstalls dependencies without user approval. This creates a supply-chain exposure and can overwrite local modifications or introduce new behavior unexpectedly, which is especially risky for a skill presented as a UI launcher.

Context-Inappropriate Capability

Low
Confidence
80% confidence
Finding
The skill enumerates the machine's LAN IPv4 address and instructs returning a network-accessible URL. While not inherently malicious, exposing local network addressing and encouraging LAN exposure broadens the attack surface and is not clearly necessary for the declared visualization purpose.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The trigger phrase "start dashboard" is broad enough to overlap with normal user language and could activate the skill unintentionally. Because the documented behavior includes downloads, service termination, installs, and starting a background server, accidental invocation can cause meaningful system changes.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README describes disruptive actions such as cloning/downloading code, installing dependencies, checking for updates, and starting a background service, but does not prominently warn users that these actions modify the system and execute external code. In this skill context, the lack of warning makes the behavior more dangerous because it is framed as automatic handling for what should be a simple visualization feature.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documented behavior includes stopping services on port 3000 and deleting the old directory before re-downloading code, yet this destructive behavior is not surfaced as a prominent risk. Automatic service termination and deletion can disrupt unrelated local applications or destroy user modifications, especially when invoked by a misrepresented skill.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation directs destructive restart behavior that can kill any service using port 3000, but does not clearly warn the user beforehand. Lack of warning increases the chance of accidental disruption to unrelated workloads and reduces informed consent for host-impacting actions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill describes deleting and replacing the project directory to refresh code, but does not warn that local changes or data in that directory may be lost. Unannounced recursive deletion is risky even if scoped to a project path, especially in an automated skill workflow.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill states that it will automatically read the user's OpenClaw config file, but provides no privacy notice or consent step. Configuration files may contain sensitive endpoints, tokens, model settings, or metadata, so silent access to them is a privacy and secret-handling concern.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal