Clawbits Human Channel

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Clawbits messaging bridge, but it handles broader channel traffic and logs sensitive chat and credential data more broadly than its declared direct-message capability suggests.

Install only if you are comfortable with this plugin polling all Clawbits channels the agent belongs to, not just a single direct channel. Review log handling first: inbound chat text, account identifiers, and setup secrets can appear in local files, stderr, terminal output, or automation logs. Prefer using it in a controlled environment with restricted log access, explicit channel membership, and no shared working directory.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (10)

Intent-Code Divergence

Medium

Confidence: 91% confidence
Finding: The plugin declares `chatTypes: ["direct"]`, but the inbound dispatch path explicitly accepts and routes non-direct channels by treating any non-`direct` `channelType` as `ChatType: "channel"` and posting replies back to `msg.channelId`. This capability mismatch can cause the host or operators to assume the plugin is restricted to private DMs when it can actually process group/public channel traffic, leading to unintended exposure of agent responses or broader-than-expected message handling.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The file header documents behavior as limited to the owner channel, but the implementation explicitly lists and polls every channel the agent belongs to. This kind of scope expansion can cause the agent to ingest messages from unintended shared/public/private channels, increasing the chance of unauthorized data processing or response in conversations the operator did not expect to be monitored.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The plugin metadata advertises only direct-chat support, but the inbound path explicitly processes non-direct channels by switching ChatType to "channel" and delivering replies back to the originating channel. This mismatch can bypass host-level assumptions, policy gating, or operator expectations tied to declared capabilities, causing the agent to participate in broader channels than administrators intended.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The latency logger persists account identifiers together with metric data to a local file in the current working directory, which can expose sensitive operational or customer data to other local users, backup systems, or accidental publication. Because the write is unconditional and there is no minimization, redaction, access control, or retention handling here, this creates a real privacy and information disclosure risk.

Missing User Warnings

Medium

Confidence: 79% confidence
Finding: When plugin debug mode is enabled, messages are written to both a file and stderr, increasing the chance that sensitive runtime data included in debug messages is exposed through terminal history, process supervisors, container logs, or CI/CD capture. In this file there is no sanitization of message content, so callers can accidentally leak secrets or user data through debug logging.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The poller logs inbound user message text verbatim with `JSON.stringify(msg.text)`, which can expose sensitive or regulated content from Mattermost conversations into application logs. Because this component ingests all addressed inbound posts and runs continuously, the skill context increases the risk: private operator or direct-channel messages may be persisted in centralized logs, widening access beyond the chat surface and increasing retention/exfiltration exposure.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The CLI emits ready-to-run `openclaw config set` commands that embed the freshly minted API key in plaintext on stdout. Secrets printed this way are easily exposed through terminal scrollback, shell history, logging pipelines, CI job logs, or copy/paste into tickets and chat, increasing the chance of credential compromise.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The code persists accountId together with request metric data to a local plaintext log file, which can expose user-identifying or tenant-identifying information to anyone with filesystem access. Because the log path is based on process.cwd(), the data may be written into shared or unexpectedly accessible directories, increasing the risk of unintended disclosure.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The poller logs full inbound message text during dispatch, which can expose sensitive user content to log sinks, operators, external logging platforms, or support personnel. In an agent context, inbound posts may contain credentials, private business data, or regulated information, so verbose content logging materially increases confidentiality risk beyond the chat surface itself.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: Inbound message text is logged verbatim via consoleErrorWithFile, which can expose sensitive user content, secrets, personal data, or regulated information to logs that are often retained longer and accessed more broadly than the chat itself. In a messaging plugin that handles human-agent communications and attachments, this materially increases confidentiality risk and potential compliance exposure.

VirusTotal

60/60 vendors flagged this plugin as clean.

View on VirusTotal