ClawHub

API Failover

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real API failover tool, but it handles local credentials, routes prompts to third-party providers, and starts/persists a proxy with weak scoping and disclosure.

Install only if you intentionally want a local API proxy that can read provider configuration, use inherited credentials, keep local routing state, and send prompts to fallback providers. Keep it bound to localhost unless you add authentication, protect any env files and state/log paths, review the generated provider order before use, and avoid sensitive workloads unless you are comfortable with the configured fallback providers receiving the data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill instructs use of bundled scripts that inspect the environment, generate files, start a local proxy, perform network calls, and run shell-driven bootstrap flows, yet no explicit permissions are declared. That mismatch is risky because an agent or reviewer may treat the skill as lower risk than it is, while it can access secrets, modify local state, and expose services over the network during execution.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The script reads and emits OpenClaw settings unrelated to API failover, including execution-security and gateway configuration, which expands environment reconnaissance beyond the stated skill purpose. Even though it does not modify those settings, exposing them can help an attacker understand local security posture and reachable services.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The unauthenticated /health endpoint returns internal provider names, configured profiles, the state file path, and the current failover state. That information materially helps an attacker map backend dependencies, infer operational degradation, and target specific providers or local file locations, which exceeds what a minimal health check should expose.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The notes document routing prompts through a local proxy to third-party providers and model fallbacks, but they do not clearly warn that user content may be transmitted to external services with different privacy, retention, and jurisdictional properties. In a failover setup this is especially important because requests may silently cross providers during degradation, so operators or users may not realize sensitive data is leaving the initially expected backend.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script writes discovered environment details to a predictable file in /tmp using the process ID in the filename, with no permission hardening or user warning. Discovery data in this skill context may include provider endpoints, model mappings, and potentially sensitive environment-derived metadata, which can be exposed to other local users or tampered with through symlink/race attacks on shared systems.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
When --start-proxy is used, the script writes logs to /tmp/api-failover-http.log and state to a configurable file defaulting to /tmp/api-failover-state.json without securing permissions or disclosing the persistence behavior. In a failover/proxy skill, these files may capture request metadata, health status, provider details, and other operationally sensitive information, creating a local disclosure or tampering risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script probes for the presence of several API key environment variables and includes the results in its output without prior user disclosure or consent. While it does not print secret values, confirming which providers are configured still leaks sensitive operational metadata that can aid targeting or fingerprinting.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script reads a user configuration file under /root and prints provider summaries, base URLs, model identifiers, gateway settings, and whether API keys are inline. This is sensitive configuration enumeration; even with partial redaction, it discloses internal topology and provider setup beyond what is necessary for basic failover detection.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The health response discloses sensitive operational details without any warning or access restriction, including internal state and the on-disk state file path. This is an information disclosure issue because it reveals backend topology and runtime conditions that can be used for reconnaissance or to time attacks against degraded providers.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal