ClawHub

OpenClaw Manager

Security checks across malware telemetry and agentic risk

Overview

OpenClaw Manager appears purpose-built for local workflow management, but it needs Review because it runs an unauthenticated local sidecar that can read and change durable work data.

Install only if you intentionally want a persistent local OpenClaw control plane. Keep the sidecar bound to 127.0.0.1, avoid remote bind settings, review the state directory and autostart consent, and do not route sensitive threads through it unless local durable retention is acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill advertises network-facing and environment-dependent capabilities such as a local sidecar API, bootstrap runtime, connector normalization, and autostart behavior, but the manifest does not declare corresponding permissions. That creates a transparency and policy-enforcement gap: reviewers and runtime controls may underestimate what the skill can access or expose, especially since the skill manages durable state and connectors that can move data across boundaries.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The invocation text is broad enough to match vague requests to 'operate, inspect, or extend' a local manager control plane, which can cause the skill to activate outside a tightly scoped administrative context. Because this skill 'owns' session, event, checkpoint, attention, sidecar, and connector functions, over-broad triggering increases the chance of unintended access to sensitive local state or exposure of command surfaces during unrelated tasks.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This health endpoint returns internal filesystem and runtime configuration details, including the manager state root, bind host, port, and autostart consent. Even if intended for diagnostics, exposing this information without authentication or redaction increases reconnaissance value for an attacker and may reveal sensitive deployment details that help target local services or locate on-disk state.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The service appends raw inbound message content plus source identifiers, author fields, and metadata directly into session events and the spool without any consent check, minimization, or visibility control. In a shadow-observation manager, this creates a real privacy and data-governance risk because messages from external/local threads can be silently retained and later reused or promoted into managed sessions.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This code launches a detached background sidecar process with stdio ignored and immediately unreferences it, which makes the subprocess effectively invisible to the user and difficult to monitor or stop. In a skill context, spawning a persistent local process without explicit notice or consent creates stealthy persistence and reduces auditability, even if the intended use is operational rather than overtly malicious.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal