ClawHub

Agent Network

Security checks across malware telemetry and agentic risk

Overview

This is a real agent networking tool, but it opens broad unauthenticated network and local API surfaces while overstating its security protections.

Install only if you intentionally want an experimental always-on agent networking service. Use it in an isolated OpenClaw profile or test machine, restrict local and LAN access with firewall controls, avoid sensitive workspaces, and do not rely on its documented encryption, signature, or transaction-verification claims without hardening the code first.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (21)

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The skill claims TLS 1.3 and Ed25519-based protections in its security section, but the implementation shown uses grpc.ServerCredentials.createInsecure() and grpc.credentials.createInsecure(), which provide no transport security. This creates a dangerous mismatch: operators may deploy the service believing peer discovery, messaging, and skill exchange are authenticated and encrypted when they are vulnerable to interception and tampering on the network.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The documentation says all messages are signed with Ed25519, but the code signs only the message content using HMAC-SHA256 with AGENT_PRIVATE_KEY or the hardcoded fallback 'default_dev_key'. That means there is no asymmetric identity proof, deployments may share the same default secret, and messages can be forged by anyone who knows or guesses the key.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill starts a P2P server, local discovery, Nostr presence broadcast, EvoMap registration, automatic peer handshakes, and an unauthenticated HTTP API that exposes messaging, sharing, and marketplace operations. With no access control, binding restrictions, or clearly scoped purpose, this greatly expands the attack surface and can enable unauthorized local/remote interaction, data exposure, and abuse of the host as a network participant.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The code enumerates directories under the user's home OpenClaw skills path and returns names, versions, and full filesystem paths via an API endpoint. This leaks host inventory and directory structure information that can aid fingerprinting, targeted attacks, or privacy violations, especially when combined with the otherwise open HTTP API.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code performs unsolicited outbound discovery to an external service (`evomap.ai`), periodically enumerates agents, and can send messages to external parties without any authentication, allowlist, or explicit user consent flow. In an agent skill context, this creates unexpected data egress and remote interaction surfaces that could leak metadata, enable unapproved communications, or expand the trust boundary beyond the local system.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The `download()` method is documented as 'just returns info', but it also performs state-changing financial and accounting operations: deducting buyer points, crediting the owner, and incrementing download counters. This mismatch is dangerous because callers may invoke it assuming it is read-only, leading to unintended charges, inconsistent UX/security assumptions, and abuse if exposed through preview or metadata retrieval paths.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README explicitly advertises automatic greeting messages for new connections but does not disclose consent controls, rate limits, or user awareness mechanisms. In an agent-to-agent messaging platform, this can enable unsolicited communication, spam-like behavior, and accidental disclosure of presence or identity to newly discovered peers.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README states that nearby AI agents are automatically discovered over a P2P network without warning users about privacy, exposure, or trust implications. Automatic peer discovery can reveal system presence, network location information, or make the application interact with untrusted peers by default, which is risky in a decentralized agent environment.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The README advertises automatic peer discovery over P2P and automatic greeting behavior without any mention of user consent, privacy controls, or network-scope limitations. Even though this is documentation rather than executable code, it signals product behavior that could expose users to unsolicited network activity, metadata leakage, or unexpected interaction with nearby peers.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The skill is explicitly designed for P2P discovery, messaging, local UI, publishing, and downloading code-like artifacts from other agents, yet it provides no prominent user-facing warning about privacy exposure, local network activity, or the risks of obtaining untrusted skills. In this context, omission of such warnings increases the chance users enable invasive networking and import untrusted content without understanding the security implications.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The CLI implicitly starts the Agent Network for commands like scan, status, list, balance, and leaderboard when no node is already running, which triggers network activity without explicit user consent or a clear warning. In a security-sensitive environment, users may expect read-only/status commands to be local-only, so this behavior can cause unintended peer discovery, connections, or exposure of the host on the network.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
On startup, the skill connects to Nostr, broadcasts presence, registers with EvoMap, discovers peers, and automatically initiates handshakes without any user confirmation. This can disclose the node's identity and availability, create unwanted trust relationships, and expose the host to unreviewed remote interactions as soon as the skill runs.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The HTTP API exposes conversation history, message metadata, discovered peers, and messaging capabilities with permissive CORS set to '*', and no authentication or authorization checks. This makes sensitive local agent data and actions accessible to other local processes and potentially remote origins if the service is reachable, significantly increasing the risk of data leakage and unauthorized operations.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The installed-skills endpoint reads contents from the user's home directory and exposes the installed skill list without any warning or access control. Even if limited to one application directory, it reveals local software inventory and path information that should not be disclosed by default.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code automatically connects to any host that broadcasts a matching discovery message on the local network, with no authentication, allowlist, or user confirmation. An attacker on the same LAN can spoof discovery packets and induce outbound connections to malicious peers, enabling unauthorized interaction, fingerprinting, or exposure to downstream vulnerabilities in the P2P protocol stack.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill transmits peer identifiers and message content over the network to external infrastructure and other peers with no visible user-facing disclosure, consent, or policy gate. Even though HTTPS is used for the EvoMap endpoint, the main issue is silent sharing of operational metadata and content, which is risky in agent environments where messages may contain sensitive prompts, identifiers, or workflow data.

Missing User Warnings

Low
Confidence
77% confidence
Finding
The code persists a generated peer ID under the user's home directory without notice or consent. While the data written is limited, silent persistent identifiers can enable tracking across sessions and create privacy concerns, especially when the same identifier is later used in external network communications.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code broadcasts node metadata such as a derived node ID, supported services, protocol/version details, and arbitrary caller-supplied content to multiple public Nostr relays without any consent flow, disclosure, or scope limitation. In an agent skill context, this can silently expose deployment details and potentially sensitive metadata to third-party infrastructure, enabling tracking, profiling, or unintended data leakage.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The module persists user-provided experiences, skills, and memories into tables explicitly named for sharing, but there is no visible consent check, disclosure step, access-control gate, or policy enforcement before those writes occur. In a sharing feature, silently storing and classifying potentially sensitive content for later dissemination can expose private data and create privacy/compliance risk, especially because memory and experience content may contain secrets or personal information.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
Publishing a skill automatically broadcasts skill metadata such as owner, name, price, and publication action to the P2P network without any visible consent or disclosure in this code path. In a decentralized setting this can leak operational or identifying information and may expose unpublished/internal skill names or ownership relationships to untrusted peers.

External Transmission

Medium
Category
Data Exfiltration
Content
}).then(r => r.json()),
  
  // Publish skill
  publishSkill: (skillPath, price, metadata) => fetch('http://localhost:18795/api/publish', {
    method: 'POST',
    headers: { 'Content-Type': 'application/json' },
    body: JSON.stringify({ skillPath, price, metadata })
Confidence
74% confidence
Finding
fetch('http://localhost:18795/api/publish', { method: 'POST'

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal