ClawHub

Openclaw Matrix 2026.5.26.Tgz

Security checks across malware telemetry and agentic risk

Overview

This official Matrix plugin fits its stated purpose, but it handles sensitive Matrix crypto trust and recovery material in ways users should review before installing.

Install only if you need OpenClaw to operate a Matrix account. Use a dedicated bot account, restrict room and sender allowlists, keep the state directory and backups private, avoid broad local media roots, and treat any stored access token, password, recovery key, or crypto snapshot as highly sensitive.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The verification manager auto-accepts inbound verification requests and, for self-verification flows, auto-starts SAS and auto-confirms it after a timer without requiring an explicit user comparison step. This undermines the core security property of interactive device verification: a compromised client, malicious automation, or logic bug can silently mark devices as trusted and expand an attacker's ability to impersonate devices or gain trusted access.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The code serializes and restores full IndexedDB snapshots to disk, which can include Matrix crypto state, sessions, keys, and message metadata. Even with chmod 0600 and file locking, persisting this material to the filesystem materially increases the attack surface because local compromise, backup leakage, misconfigured state directories, or unintended file exposure can disclose sensitive cryptographic state.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The code persistently stores Matrix recovery keys and secret-storage material to local disk via loadStoredRecoveryKey/saveRecoveryKeyToDisk, including base64-encoded private key material. Recovery keys are highly sensitive account-recovery secrets; if the host, workspace, logs, backups, or file permissions are compromised, an attacker may gain long-term access to encrypted backups and potentially facilitate account recovery or decryption workflows.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
The SDK exposes deleteOwnDevices(), which can delete arbitrary Matrix devices and will automatically satisfy interactive authentication using a stored password if the server requests it. This is a high-impact account-management capability because misuse, compromise, or unintended invocation can revoke user devices and disrupt account access without an out-of-band confirmation step.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The set-profile action accepts avatarPath/filePath and forwards it for upload, allowing local file access to be triggered from tool input. In an agent/plugin context, accepting arbitrary local paths can expose sensitive local files if an attacker can influence tool parameters or prompt the agent to use them.

Missing User Warnings

High
Confidence
97% confidence
Finding
This code path accepts verification requests and progresses verification without any explicit user-facing confirmation. In the context of Matrix verification, lack of user acknowledgement is dangerous because verification is supposed to be a human trust decision, not a silent background action.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
Writing IndexedDB snapshot data containing crypto state to disk without an explicit user or administrator-facing disclosure increases the likelihood of unsafe deployment assumptions and accidental data exposure. The danger is amplified because the persisted artifact is not merely telemetry but potentially restorable secret-bearing state.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code automatically executes a helper script to download and install a native Matrix crypto runtime when the package is present but its native binding is missing. This is a real supply-chain and trust-boundary risk because it performs network/bootstrap behavior via a subprocess without explicit user consent or a clear warning in this file, so a compromised package, tampered dependency, or unexpected runtime context could trigger unreviewed code execution and binary installation.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This function explicitly retrieves `backupKeys.decryptionKeyBase64` from the Matrix crypto store and returns it to the caller, which exposes highly sensitive key material beyond the crypto boundary. In an agent skill context, returning a decryption key is especially dangerous because downstream code, logs, telemetry, or other tools may unintentionally persist or exfiltrate it, enabling unauthorized decryption of encrypted backups and message history.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The migration routine automatically renames legacy storage and crypto paths into a new target location without explicit user confirmation. Although this appears intended as an in-place upgrade feature, automatic filesystem mutation can cause unintended data movement or overwrite-adjacent operational issues if the environment or resolved target paths are wrong.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The code writes a recovery key file and migration-state record automatically during crypto migration preparation. Because the recovery key is highly sensitive, silently persisting it to disk increases the chance of accidental exposure through permissive file permissions, backups, or operator surprise.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
At the write site, saveRecoveryKeyToDisk() silently writes encoded and raw-equivalent recovery key material to disk, while any warning is only indirect and conditional elsewhere. Users or integrators may therefore persist extremely sensitive secrets without realizing it, increasing the chance of accidental exposure through backups, shared machines, or lax file handling.

Missing User Warnings

High
Confidence
95% confidence
Finding
The device deletion path performs a destructive account action without any built-in warning, second-factor confirmation, or explicit confirmation callback. In a skill with no trusted context or stated purpose, such silent destructive capability is especially risky because callers may trigger irreversible device removal accidentally or through abuse of the SDK surface.

VirusTotal

56/56 vendors flagged this plugin as clean.

View on VirusTotal