ClawHub

ACPX Runtime

Security checks across malware telemetry and agentic risk

Overview

This official ACPX runtime appears purpose-built, but it needs review because it can spawn local coding agents and its recovery guidance permits package or user-config changes without clear prior consent.

Install only if you want OpenClaw to manage ACP sessions for local coding agents. Before use, review the ACPX configuration, allowed agents, MCP server definitions, permissionMode, and any mcpServers.*.env secrets. Treat repair actions such as npm installs, gateway restarts, or ~/.acpx/config.json changes as actions that should require your explicit approval.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The spawned process inherits the full parent environment via env: process.env, which can expose sensitive secrets such as API keys, tokens, cloud credentials, and internal configuration to whatever executable is named in the payload. In this proxy, targetCommand is externally supplied through decoded input, so forwarding all environment variables materially increases the blast radius if an unexpected or compromised child process is launched.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger conditions are broad enough that normal requests about external coding tools or continuing prior work may invoke this router unexpectedly. In that state, the skill can steer execution into ACP runtime or shell-based acpx flows, increasing the chance of unintended tool use, session creation, or command execution based on ambiguous user intent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
These instructions authorize automatic local repair steps including package installation, gateway restart offers, and modification of user configuration such as removing broken ~/.acpx/config.json overrides, without requiring a prior user-facing warning or consent. That creates a risky trust boundary violation: a routing skill should not silently change the local environment or user config as part of normal request handling.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The direct acpx path instructs the agent to execute shell commands, resolve package versions, and potentially install a plugin-local binary, but does not require an upfront warning that local shell execution and dependency changes may occur. Because the skill routes user language into exec-driven command templates, ambiguous or insufficiently disclosed behavior could lead to surprising system-side actions and expanded attack surface.

VirusTotal

61/61 vendors flagged this plugin as clean.

View on VirusTotal