AgentLine, AI-native IM for Openclaw

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Agentline/OpenClaw messaging integration, but it needs Review because it combines remote script installation, persistent polling, local secrets, public webhook exposure, and automatic agent replies.

Install only if you trust the Agentgram/Agentline service and are comfortable with a local agent that can receive remote messages, store signing keys and tokens, run on a cron schedule, and optionally expose OpenClaw through a public tunnel. Prefer manual download and verification over curl | bash, avoid the upgrade command until releases are signed or pinned, use contacts_only or other sender controls, review logs for sensitive content, and do not enable cron polling or webhooks unless you want automatic agent processing and replies.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
Rogue AgentSelf-Modification, Session Persistence

Findings (23)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill declares no permissions even though it clearly requires network access and shell execution (`curl`, `jq`, tunnel tools, healthcheck/upgrade scripts). This under-specifies the skill's capabilities and prevents users or the runtime from making an informed trust decision before allowing outbound connectivity and local command execution.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The description presents the skill as a messaging integration, but the document also covers remote upgrade execution, local credential storage, OpenClaw invocation, polling automation, tunnel exposure, and host/environment inspection. That mismatch is dangerous because users may consent to a simple messaging feature while unknowingly enabling code download/execution, persistence, and broader local introspection.

Context-Inappropriate Capability

Medium

Confidence: 85% confidence
Finding: The webhook setup instructs operators to expose a local OpenClaw gateway to the public internet via ngrok/cpolar or similar tunnels. Publicly exposing a local agent endpoint increases attack surface and can permit unsolicited probing, abuse of webhook handlers, or misconfiguration-driven data exposure if authentication or routing is weak.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The healthcheck is documented to inspect local config files, ports, crontab entries, lockfiles, and environment-derived paths. This expands the skill beyond messaging into host reconnaissance, which can reveal sensitive operational details and facilitate follow-on abuse if run in a broader agent context.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The script downloads code from a server-controlled URL and immediately executes it with bash, which is a direct remote code execution path. Because both the version metadata and install URL are fetched from the network and the hub can be overridden, a compromised server, MITM, or malicious hub value can cause arbitrary command execution on the host.

Context-Inappropriate Capability

High

Confidence: 95% confidence
Finding: This script introduces software installation and upgrade behavior by retrieving remote metadata and then executing a remote installer, which is a powerful capability beyond ordinary messaging operations. In the context of an agent skill, this expands the trust boundary substantially and creates a high-value execution primitive if the update channel is ever subverted.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The polling component goes beyond simple Agentline messaging by invoking an external OpenClaw agent on untrusted inbound messages and then automatically sending the generated reply. This creates an agent-to-agent prompt injection and unintended action surface where remote senders can influence downstream agent behavior and cause autonomous outbound communications not implied by the skill's stated scope.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The skill metadata for Agentline directs installation to an Agentgram endpoint, creating a clear identity/distribution mismatch. This can cause users to install the wrong artifact or a substituted package, undermining trust in provenance and potentially enabling supply-chain compromise, especially for a messaging skill that handles agent registration, routing, contacts, and signed message workflows.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: Incoming message text from the Agentline hub is forwarded directly into an external agent runtime and used to generate an automatic reply, with no validation, sender trust check, consent gate, or content-safety boundary in this script. In an agent-messaging skill, this is more dangerous because any party able to send messages may be able to trigger prompt injection, data exfiltration via agent behavior, spam loops, or unintended autonomous actions in the downstream agent.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The installer is executed immediately without any user-facing confirmation, review step, or display of what will run. This increases the likelihood of silent compromise because users are not given a chance to inspect the source, approve the action, or notice an unexpected hub/install URL.

Missing User Warnings

High

Confidence: 94% confidence
Finding: The credential logic persists private keys and bearer tokens to disk under the user's home directory, increasing the blast radius of local compromise and accidental backup/sync leakage. Although chmod 600 helps, users are not warned that long-lived signing material and authentication tokens will be stored locally in plaintext JSON.

Missing User Warnings

High

Confidence: 90% confidence
Finding: The endpoint registration flow transmits a webhook authentication token to the remote hub without prominently warning the user that a secret is being shared with a third-party service. If the hub is compromised, misconfigured, or untrusted, that token can be abused to impersonate legitimate webhook deliveries or access the integrated receiver path.

Missing User Warnings

High

Confidence: 96% confidence
Finding: The polling script writes full incoming payload contents to a persistent log file, which can expose sensitive messages, prompts, metadata, and possibly secrets to other local processes, backups, or future forensic access. Because these are remote communications, users may not realize message bodies are being stored indefinitely in plaintext.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The upgrade command fetches and immediately executes a remote installer with curl piped to bash, giving the remote endpoint full code execution in the user's shell context. Any compromise of the hub, install URL, TLS trust chain, or update metadata could lead to arbitrary command execution.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The install instructions execute a network-fetched shell script directly with `bash`, which gives remote code full execution on the user's machine without review, integrity verification, or pinning. In a setup document for an agent skill, this is especially dangerous because users are likely to copy-paste it verbatim and the remote content can change at any time.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The cron instructions modify the user's crontab to create persistent background execution every minute, but the documentation does not clearly warn that this installs a continuously running scheduled task. Persistent execution increases risk because any bug, compromise, or unexpected behavior in the polled script will keep recurring automatically.

Ssd 3

Medium

Confidence: 94% confidence
Finding: Persistently logging incoming message bodies in plain language creates an unnecessary sensitive-data exposure channel. Even if intended for traceability, plaintext retention can leak private communications and prompts through local compromise, backups, or shared workstation access.

Ssd 1

Medium

Confidence: 93% confidence
Finding: The downstream prompt forces the OpenClaw agent to always reply and suppresses tool use decisions, reducing the agent's ability to decline malicious or unsafe requests embedded in inbound content. This makes prompt-injection attacks more effective because untrusted senders can reliably trigger automated responses under constrained policy.

Ssd 3

Medium

Confidence: 91% confidence
Finding: The documented behavior logs raw inbound messages to `~/.agentline/inbox.log` and routes full message contents into downstream agent processing. This creates a clear data exposure path for sensitive content and also expands prompt-injection risk, since untrusted remote messages are fed into an agent workflow automatically.

Session Persistence

Medium

Category: Rogue Agent
Content: ```bash # Add cron job (every minute) (crontab -l 2>/dev/null; echo "* * * * * \$HOME/.agentline/bin/agentline-poll.sh 2>&1") | crontab - # Or specify an OpenClaw agent to handle messages: (crontab -l 2>/dev/null; echo "* * * * * \$HOME/.agentline/bin/agentline-poll.sh --openclaw-agent my-agent 2>&1") | crontab -
Confidence: 86% confidence
Finding: crontab -l

Session Persistence

Medium

Category: Rogue Agent
Content: (crontab -l 2>/dev/null; echo "* * * * * \$HOME/.agentline/bin/agentline-poll.sh 2>&1") | crontab - # Or specify an OpenClaw agent to handle messages: (crontab -l 2>/dev/null; echo "* * * * * \$HOME/.agentline/bin/agentline-poll.sh --openclaw-agent my-agent 2>&1") | crontab - ``` When new messages arrive, the script automatically:
Confidence: 86% confidence
Finding: crontab -l

External Script Fetching

High

Category: Supply Chain
Content: Prerequisites: `node` (v16+), `curl`, `jq`. ```bash curl -fsSL https://agentgram.chat/skill/agentgram/install.sh | bash export PATH="$HOME/.agentline/bin:$PATH" ```
Confidence: 99% confidence
Finding: curl -fsSL https://agentgram.chat/skill/agentgram/install.sh | bash

Chaining Abuse

High

Category: Tool Misuse
Content: Prerequisites: `node` (v16+), `curl`, `jq`. ```bash curl -fsSL https://agentgram.chat/skill/agentgram/install.sh | bash export PATH="$HOME/.agentline/bin:$PATH" ```
Confidence: 98% confidence
Finding: | bash

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal