ClawHub

Visualization

Security checks across malware telemetry and agentic risk

Overview

This visualization skill mostly matches its stated purpose, but it includes under-scoped persistence, remote script loading, custom-template file handling, and optional API/cloud features that need review before use with sensitive financial data.

Install only if you are comfortable with local files being created in the OpenClaw workspace and with generated HTML loading third-party JavaScript. Keep sensitive portfolio data local, avoid cloud-upload prompts, do not deploy the included API server as-is, and avoid untrusted custom templates until path validation and HTML escaping are fixed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (18)

Description-Behavior Mismatch

Medium
Confidence
68% confidence
Finding
The preferences endpoint accepts a userId from the client and claims to save user preferences, but there is no demonstrated binding between the authenticated API key and the target user identity. This creates an insecure direct object reference risk where one client could submit preferences for another user if downstream storage trusts the supplied userId.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The HTML output injects a remote script tag for Chart.js from a public CDN directly into Jupyter-rendered content. In a notebook environment, this creates network-dependent script execution and expands the trust boundary to a third party, enabling supply-chain compromise, unexpected telemetry, or failure/offline breakage beyond simple chart rendering.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill exports files to a local workspace and can upload generated artifacts to cloud storage, which extends beyond narrowly scoped visualization generation and introduces data egress and persistence behavior. In a financial-analysis context, generated charts may encode sensitive portfolio or market analysis data, so undisclosed storage/upload paths increase confidentiality and compliance risk.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The generated HTML loads Chart.js from an external CDN, creating undisclosed outbound network access and a third-party supply-chain dependency at render time. This can leak metadata about usage and exposes rendering to tampering or availability issues if the CDN asset changes or is compromised.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Optional cloud upload is not necessary for core chart generation and creates a direct path for sensitive output to leave the local environment. Because this is a financial visualization skill, uploaded charts may reveal holdings, risk metrics, or analyst conclusions, making accidental disclosure materially more dangerous.

Context-Inappropriate Capability

Medium
Confidence
75% confidence
Finding
The module can issue, validate, revoke, and enumerate API keys, but there is no visible authorization check around these lifecycle actions and no audit trail at the operation site. If exposed through application routes without strict caller verification, an attacker or low-privileged user could create or revoke credentials or list key metadata for another user, leading to account misuse or denial of service.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The encryption implementation is cryptographically unsafe: it derives keys with a hardcoded salt and uses deprecated createCipher/createDecipher APIs, effectively ignoring the generated IV and providing no authentication tag. This can lead to weak, non-portable encryption and makes ciphertext tampering or decryption failures harder to detect, putting sensitive configuration data at risk if this function is relied on for secrecy.

Description-Behavior Mismatch

Low
Confidence
90% confidence
Finding
The preview HTML embeds untrusted template metadata directly into HTML via string interpolation, allowing attacker-controlled title or description fields to inject arbitrary markup or script into the generated file. Because the file is written locally and likely opened in a browser context, this can become a stored XSS issue with access to local session context or app-integrated browser capabilities.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill writes per-user preferences to a local filesystem path even though its stated purpose is visualization UI generation. This creates persistent storage of user-associated data without evident access control, retention limits, or clear necessity, increasing privacy and misuse risk if userId is attacker-controlled or the host filesystem is shared.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The code has local read/write capability through fs.writeFileSync and fs.readFileSync that is not clearly justified by the visualization functionality described for the skill. Unnecessary filesystem access expands the attack surface and can enable unauthorized persistence, privacy leakage, or file abuse if surrounding code passes untrusted userId values.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The markdown states outputs are auto-saved to the workspace with timestamped filenames, but gives no warning or consent flow for file creation. For a financial-analysis skill, silent persistence can leave sensitive charts, portfolio data, or derived metrics on disk where other tools, users, or later processes may access them unexpectedly.

Missing User Warnings

Medium
Confidence
72% confidence
Finding
The Lambda handler forwards user-controlled template and parameters directly into a prompt for generateVisualization with no input constraints, allowlisting, or disclosure about how the content will be processed. If generateVisualization uses an LLM or downstream render pipeline, this can enable prompt injection, abusive workload generation, or unintended handling of sensitive user-supplied data.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Accepting API keys via query parameters exposes credentials in URLs, which are commonly logged by servers, proxies, analytics tools, browser history, and referrer headers. This makes accidental credential leakage much more likely even when transport security is used.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The interactive Jupyter HTML silently loads executable JavaScript from a remote CDN without warning the user. Because notebooks often run in trusted analyst environments, undisclosed external script execution can expose users to supply-chain attacks, outbound network requests, and behavior inconsistent with an offline/local visualization tool.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code performs cloud uploads based on parsed prompt content without any visible confirmation or warning step in this file. A user could trigger upload unintentionally by mentioning cloud storage, causing sensitive generated content to be sent to external infrastructure without informed consent.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
API key issuance and revocation are sensitive credential-management actions, but these methods do not emit security audit logs despite a logging helper existing in the class. Without durable auditability, unauthorized key creation, abuse, or destructive revocation can go undetected and incident response becomes significantly harder.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The generated preview HTML is persisted to disk without warning, and that file contains untrusted content rendered in a browser-readable format. This increases risk because malicious template content can become a durable payload that may be reopened later, turning unsafe interpolation into a persistent client-side code execution vector.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
User preference data is saved to disk with no warning, consent, or transparency visible in this file. Silent persistence of user-linked data is dangerous because it can violate user expectations, create privacy/compliance issues, and leave recoverable artifacts on the host even after a session ends.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal