ClawHub

Openclaw Amazon Bedrock Mantle Provider 2026.5.26.Tgz

Security checks across malware telemetry and agentic risk

Overview

This official OpenClaw provider uses AWS credentials to discover and call Amazon Bedrock Mantle models, which is expected for its purpose but should be configured carefully.

Install only in an environment where OpenClaw is allowed to use your AWS_BEARER_TOKEN_BEDROCK or AWS IAM credential chain for Bedrock Mantle. Use a scoped AWS role/profile, prefer least privilege, and disable plugin discovery if you do not want automatic credential-backed model enumeration.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
This code implicitly reads AWS bearer tokens or IAM-derived credentials from the environment and then performs remote model discovery without an explicit user action or visible authorization boundary in this file. Even if intended for convenience, automatic credential use plus outbound requests can surprise users, expand trust scope, and expose account metadata or enable unintended access paths.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The discovery request sends a bearer token in an Authorization header to a remote AWS endpoint, but this file provides no user-facing disclosure or consent flow around that transmission. While HTTPS is used and the endpoint is fixed, silent token transmission still creates a security and privacy risk because sensitive credentials are used automatically for capability probing.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This code explicitly enables direct browser access (`dangerouslyAllowBrowser: true`) and sends the supplied credential as an auth token to the remote Anthropic-compatible endpoint. In a browser context, any XSS, malicious extension, compromised dependency, or hostile page script can potentially trigger requests or exfiltrate the token, and the file provides no guardrails, environment restriction, or user disclosure before doing so.

Credential Access

High
Category
Privilege Escalation
Content
* - Models discovered from `/v1/models`
*/
async function resolveImplicitMantleProvider(params) {
	const env = params.env ?? process.env;
	if (params.pluginConfig?.discovery?.enabled === false) return null;
	const region = resolveMantleRegion(env);
	const explicitBearerToken = resolveMantleBearerToken(env);
Confidence
91% confidence
Finding
.env

VirusTotal

59/59 vendors flagged this plugin as clean.

View on VirusTotal