ClawHub

Gateway Monitor (macOS)

Security checks across malware telemetry and agentic risk

Overview

This is a real OpenClaw gateway monitor, but it exposes powerful unauthenticated local-admin actions and uses stored credentials in ways users are not clearly told about.

Install only if you trust the publisher and are comfortable running a persistent macOS LaunchAgent that can read OpenClaw logs/status, use local MiniMax credentials, contact external services, restart the gateway, and restore OpenClaw config. Keep the monitor firewalled or bound to localhost before use, and review server.js plus the install script carefully.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill invokes shell-based installer, status, and uninstall scripts and therefore has meaningful system-modifying capabilities, but the manifest text does not declare permissions or clearly signal that level of access. This creates a trust and review gap: users may approve a seemingly simple skill without understanding it can execute local shell commands, alter LaunchAgents, and modify files under the user's home directory.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented purpose says the skill is for local install/repair/status of a gateway monitor, but the analyzed behavior includes a network-accessible server on 0.0.0.0, restart and restore endpoints, reading local config and backup contents, and calls to external APIs using credentials from environment or auth profiles. This mismatch is dangerous because it conceals a much broader attack surface, including remote access to sensitive local state and privileged operational actions that a user would not reasonably expect from the description.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
This UI goes beyond passive monitoring by exposing state-changing operations such as configuration restore and gateway restart directly from the browser. If the associated backend endpoints lack strong authentication, authorization, and CSRF protections, an attacker or unauthorized local user could trigger disruptive or destructive administrative actions from the dashboard.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The page includes GitHub-driven update-check and repository-setting behavior that expands the trust boundary from local monitoring to user-controlled remote metadata retrieval. Allowing arbitrary repo selection can enable SSRF-like outbound requests, misleading update information, or supply-chain confusion if the backend uses this value to query external resources without strict validation and allowlisting.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The monitor server includes functionality to contact external services such as MiniMax and GitHub, which exceeds a local-only gateway monitoring role. In this context, that broadens the trust boundary and can leak metadata or enable unintended outbound communication from a service expected to inspect only local state.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The `/api/restore-config` endpoint performs a state-changing filesystem write that restores user configuration over HTTP using only a query-string confirmation. A monitoring service should not expose destructive or administrative mutation endpoints without strong authentication, CSRF protection, and safer operational controls.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The code reads API credentials from environment variables and local auth-profile files so the monitor can call an external service. Accessing and operationalizing credentials inside a monitoring dashboard increases exposure risk, especially because any compromise of this service expands into third-party account misuse.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly tells users to run install and uninstall scripts, but it does not explain what system changes those scripts make, such as LaunchAgent registration, watchdog setup, persistence, or file modifications. In a skill specifically designed to install and manage background services on macOS, encouraging direct execution of shell scripts without disclosure or review guidance increases the risk of users running privileged or persistence-establishing actions blindly.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The monitor reads sensitive MiniMax credentials and uses them for external requests without any visible user-facing disclosure in the service interface. In a local monitoring skill, hidden credential use is risky because operators may reasonably assume the component is read-only and local-only.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The code makes authenticated outbound requests to external services without an obvious in-product warning or consent mechanism. This is dangerous because it obscures data flow and account usage from the user, which is especially inappropriate for a service marketed as a local monitor.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The configuration-restore endpoint can overwrite the user's active config file with only `?confirm=true` as protection and no stronger warning or authorization barrier. That makes destructive action too easy to trigger and raises the risk of accidental or malicious rollback of local configuration.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The installer performs persistent system modifications without any interactive warning or confirmation: it copies files into a hidden per-user tool directory, writes LaunchAgent plists, enables them with launchctl, and starts them immediately. Even if intended for legitimate setup, silent persistence reduces user awareness and creates risk if the package contents are tampered with or the script is invoked unexpectedly.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal