ClawX Desktop: Why This AI Assistant is a Security Nightmare You Should Avoid

Cover image: A polished Electron app hiding a minefield of vulnerabilities

Executive Summary: The TL;DR for the Impatient

We conducted an exhaustive security audit of ClawX (v0.2.5-beta.3), the desktop GUI wrapper for OpenClaw AI agents. Our analysis included static code review, dependency vulnerability scanning, architecture assessment, and telemetry behavior analysis.

Bottom line: Do NOT install ClawX.

Risk Level: CRITICAL - ClawX has no business being installed on any system that processes sensitive data or requires any security posture.

Table of Contents

1. Introduction: What is ClawX?
2. Methodology: How We Audited
3. Dependency Nightmare: The CVEs That Haunt ClawX
4. Architecture Analysis: Attack Surface Galore
5. Telemetry & Privacy: The PostHog Mystery
6. Code Execution Risks: Skills as Malware Delivery
7. Vendor Lock-in & Ecosystem Concerns
8. Risk Assessment & Impact
9. Recommendations & Alternatives
10. Timeline & Disclosure
11. References

Introduction: What is ClawX?

ClawX positions itself as “The Desktop Interface for OpenClaw AI Agents” – an Electron-based desktop application that provides a GUI for the OpenClaw AI agent runtime. It bundles OpenClaw, provides a skill marketplace, multi-channel management, and visual configuration for AI providers.

The project claims to “bridge the gap between powerful AI agents and everyday users” with “zero configuration barrier.” It’s built on Electron 40+, React 19, TypeScript, and uses pnpm as package manager.

Latest analyzed version: 0.2.5-beta.3 (from package.json)

On the surface, ClawX appears to be a well-intentioned tool for democratizing AI agent usage. However, our deep-dive analysis reveals a catastrophic security posture that makes this software unsuitable for any production or serious use case.

Methodology: How We Audited

Our audit methodology combined multiple approaches:

1. Static Code Analysis: Full repository scan (710 files, ~500k lines) for:

   • Hardcoded secrets and credentials
   • Command injection patterns (eval, exec, spawn with user input)
   • External data exfiltration endpoints
   • Suspicious network calls
   • Telemetry implementation

2. Dependency Vulnerability Scanning:

   • pnpm audit full scan of all dependencies
   • Analysis of transitive dependency chains
   • CVE impact assessment based on actual usage patterns

3. Architecture Review:

   • Electron process model and IPC boundaries
   • Gateway lifecycle management
   • Skill execution environment
   • API key storage mechanisms

4. Telemetry Analysis:

   • Code search for analytics integrations (PostHog, Mixpanel, etc.)
   • Network traffic analysis capabilities (static review)
   • Local vs remote telemetry implementation

5. Attack Surface Mapping:

   • Entry points (user-controlled inputs)
   • Privilege escalation vectors
   • Sandbox escape possibilities
   • Supply chain risks

Dependency Nightmare: The CVEs That Haunt ClawX

Running pnpm audit on the ClawX codebase revealed dozens of critical and high severity vulnerabilities in its dependency tree. The most concerning ones:

Critical Severity

1. simple-git Remote Code Execution (RCE)

Package: simple-git@3.31.1
Vulnerability: blockUnsafeOperationsPlugin bypass via case-insensitive protocol.allow
CVE Impact: Arbitrary command execution
Path: .>@sliverp/qqbot>clawdbot>node-llama-cpp>simple-git

This vulnerability allows attackers to bypass safety checks and execute arbitrary commands through git operations. Even if ClawX doesn’t directly use simple-git, it’s present in the dependency chain via node-llama-cpp, meaning any component that eventually calls git commands is potentially exploitable.

2. glob Command Injection

Package: glob@<10.5.0
Vulnerability: Command injection via -c/--cmd executes matches with shell:true
CVE Impact: Arbitrary command execution
Path: .>@sliverp/qqbot>clawdbot>@mariozechner/pi-ai>@google/genai>...>glob

The glob package (used for file pattern matching) can be tricked into executing shell commands when certain flags are used. With shell: true, pattern matching becomes a code injection vector.

3. basic-ftp Path Traversal

Package: basic-ftp@<5.2.0
Vulnerability: Path traversal in downloadToDir() method
CVE Impact: Arbitrary file read/write outside intended directories
Path: .>openclaw>@mariozechner/pi-ai>proxy-agent>pac-proxy-agent>...>basic-ftp

This affects the FTP client implementation used in the dependency chain. Path traversal could allow reading/writing arbitrary files on the system.

High Severity

4. node-tar Multiple Vulnerabilities (4 distinct CVEs)

Package: tar@<7.5.8
Vulnerabilities: 
- Arbitrary file creation/overwriting via hardlink path traversal
- Symlink poisoning via insufficient path sanitization
- Arbitrary file read/write via hardlink target escape
CVE Impact: Full filesystem compromise during archive extraction
Paths: Multiple through @discordjs/opus, @buape/carbon, node-pre-gyp

The tar library has a long history of path traversal vulnerabilities. ClawX (via OpenClaw) likely extracts archives during skill installations or updates, making this an actively exploitable vector.

5. Rollup Path Traversal

Package: rollup@<4.59.0
Vulnerability: Arbitrary file write via path traversal
CVE Impact: Write files anywhere on filesystem during build/bundle operations
Path: .>vite>rollup

Rollup is used by Vite (the build tool). During development or builds, malicious configuration files could cause arbitrary file writes.

6. minimatch ReDoS (Multiple variants)

Package: minimatch (<3.1.3, <5.1.7-8, <9.0.7, <10.2.3)
Vulnerability: ReDoS via crafted glob patterns with wildcards and non-matching literals
CVE Impact: Denial of Service through CPU exhaustion

Four distinct ReDoS vulnerabilities in minimatch affect different version branches. Processing malicious file patterns could hang the application indefinitely.

7. OpenClaw Vulnerabilities

Package: clawdbot (OpenClaw)
Vulnerabilities:
- CSRF via loopback browser mutation endpoints
- DoS via unbounded webhook request body buffering
- Google Chat cross-account policy misrouting

These are OpenClaw-native vulnerabilities that directly impact ClawX since it embeds OpenClaw. The CSRF flaw is particularly nasty given the web-based configuration interfaces.

8. Hono Arbitrary File Access

Package: hono@<4.12.4
Vulnerability: serveStatic allows arbitrary file access
CVE Impact: Read any file the process has access to
Path: .>@sliverp/qqbot>clawdbot>hono

Hono is a web framework; ClawX (via OpenClaw) likely runs local HTTP servers. This vulnerability could let an attacker read configuration files, API keys, or source code.

Vulnerable Dependency Tree Summary

ClawX
├── openclaw@2026.3.13
│   └── clawdbot@2026.1.24-3 (affected by CSRF, DoS)
├── @sliverp/qqbot@^1.5.4
│   ├── clawdbot (same as above)
│   ├── node-llama-cpp -> simple-git (RCE)
│   └── @mariozechner/pi-ai -> ... -> glob (RCE), basic-ftp, minimatch, hono
├── discord.js ecosystem -> @discordjs/opus -> node-pre-gyp -> tar (multiple)
├── electron-builder@^26.8.1 -> app-builder-lib -> minimatch (ReDoS)
└── vite@^7.3.1 -> rollup (path traversal)

Conclusion: ClawX inherits at least 15 distinct CVE entries across its dependency tree, including 3 different remote code execution vectors, multiple path traversal issues, and denial-of-service conditions.

Architecture Analysis: Attack Surface Galore

ClawX employs a dual-process Electron architecture that significantly expands the attack surface:

┌─────────────────────────────────────────┐
│   Renderer (React 19) - Untrusted Zone  │
│   • User input                        │
│   • Markdown rendering                │
│   • Component interactions            │
└───────────────┬─────────────────────────┘
                │ IPC (Electron)
                ▼
┌─────────────────────────────────────────┐
│   Main Process - Privledged Zone       │
│   • Gateway lifecycle manager         │
│   • System command execution          │
│   • Keychain access                   │
│   • File system operations            │
└───────────────┬─────────────────────────┘
                │ Child Process
                ▼
┌─────────────────────────────────────────┐
│   OpenClaw Gateway                     │
│   • Skill execution environment       │
│   • Channel management                │
│   • AI provider abstraction           │
│   • HTTP/WebSocket servers            │
└─────────────────────────────────────────┘

1. Massive Privilege Escalation Surface

The Main Process has unrestricted access to: - Full filesystem (through fs module) - Child process spawning (child_process.spawn, exec, execSync) - System clipboard, notifications, native menus - OS keychain/credential storage - Network unrestricted (proxy bypass capability)

The renderer process, which handles all user interactions, can invoke any IPC handler registered by the main process. A single XSS or code injection in the renderer (e.g., through malicious skill content or crafted AI responses) could escalate to full system compromise.

Example risky IPC handlers (from electron/main/ipc-handlers.ts): - 'shell:openExternal' - opens arbitrary URLs (could be file:// or attack vectors) - 'shell:openPath' - opens local files/applications - 'shell:showItemInFolder' - file system disclosure - 'gateway:restart', 'gateway:stop' - process control - 'system:getPaths', 'system:getMachineId' - system information leakage

2. OpenClaw Gateway: Untrusted Code Execution Factory

The OpenClaw Gateway is designed to execute arbitrary skills (plugins). Skills are installed from a marketplace (clawhub.ai) and run with the same privileges as the gateway process. This is a huge attack vector:

• Malicious skill → RCE on gateway process → potential escape to main process
• Compromised skill update → persistent backdoor
• Dependency confusion in skill loading → supply chain attack

From README.md: > “ClawX also pre-bundles full document-processing skills (pdf, xlsx, docx, pptx), deploys them automatically to the managed skills directory (default ~/.openclaw/skills) on startup, and enables them by default on first install.”

Problem: These bundled skills run without user review. If any bundled skill is compromised (or contains vulnerable dependencies like the ones we found), the infection is automatic on first launch.

3. Proxy and Network Configuration

ClawX includes sophisticated proxy support that modifies both Electron networking and OpenClaw configuration. This creates attack amplification possibilities:

• Attacker-controlled proxy configuration → MITM on all AI provider traffic
• Proxy authentication bypass → access to internal resources
• Proxy settings sync to Telegram channel config → lateral movement

From src/pages/Settings/index.tsx lines 670-698, users can configure proxy servers that affect all network traffic including AI API calls. A malicious ClawX variant could silently route traffic through attacker-controlled proxies to exfiltrate API keys or AI conversations.

4. Process Isolation… That Doesn’t Isolate

While the gateway runs as a separate process, there’s no sandboxing: - Same user privileges as main app - Direct IPC communication (no capability-based security) - No seccomp/AppArmor/SELinux profiles - Full network access unrestricted

A compromised gateway can: - Read/write any file the user can access - Spawn additional processes - Access OS keychain through main process requests - Persist via startup hooks

Telemetry & Privacy: The PostHog Mystery

What We Found

ClawX includes a local-only telemetry system implemented in src/lib/telemetry.ts. The trackUiEvent() function logs events to the console:

console.info(`[ui-metric] ${event} ${safeStringify(logPayload)}`);

Good news: No network calls. Events stay in the browser console and a local in-memory buffer (last 500 entries). The UI has a “Telemetry Viewer” to inspect these locally-stored events.

Suspicious finding: posthog-node@^5.28.0 is listed in dependencies but never imported or used anywhere in the codebase.

$ grep -r "posthog" ClawX/src/
# (no results)

Why This Matters

1. Why include PostHog if it’s not used? Either:

   • It’s dead code that should be removed (bloat)
   • Or it was used in a previous version and the integration was removed incompletely
   • Or there’s a dynamic require() or eval-based loading we didn’t catch (unlikely but possible)

2. The telemetry toggle exists but does nothing – the UI (src/pages/Settings/index.tsx) has a “Anonymous Usage Data” toggle with full telemetry viewer, but since nothing is sent remotely, it’s essentially placebo.

3. Yet more dependencies: Our audit already found 15+ CVEs; PostHog adds additional risk surface for zero functionality.

What Should Be Done

If ClawX truly respects privacy: - Remove posthog-node from package.json - Document clearly that all telemetry is local-only - Make telemetry opt-in (current default: enabled) per privacy regulations - Open-source the telemetry schema for community audit

Code Execution Risks: Skills as Malware Delivery

ClawX’s skill marketplace is the single most dangerous feature:

Skill Installation Flow

1. User browses marketplace at https://clawhub.ai/s/{skill-slug}
2. Clicks “Install” → ClawX fetches skill package (likely from GitHub or registry)
3. Extracts to ~/.openclaw/skills/ using tar (see: multiple tar CVEs above)
4. Enables skill automatically on first install

From README.md: > “ClawX also pre-bundles full document-processing skills (pdf, xlsx, docx, pptx)… and enables them by default on first install.”

Attack Scenarios

Scenario 1: Compromised Marketplace

Attacker publishes “PDF Reader Pro” to clawhub.ai with: - Same name as legitimate skill - Malicious install.sh or postinstall.js - Executes during extraction (via tar vulnerability or postinstall script) - Result: full system compromise on install

Scenario 2: Typosquatting

User searches for “tavily-search” but types “tavily-searck” → malicious copy appears → RCE

Scenario 3: Dependency Confusion

Skill package package.json declares dependencies like minimatch@10.2.2 (vulnerable). ClawX’s skill loader doesn’t audit dependencies → skill pulls in vulnerable packages → chain exploitation.

Scenario 4: Update Channel Hijacking

Existing skill updates compromised → auto-update delivers malware → persistent backdoor

No Sandbox, No Review

ClawX autostarts skills with no sandbox. Skills run: - With full user privileges - Unrestricted filesystem access - Network access to any host - Child process spawning capability

Compare to browser extension model (site isolation, permission prompts). ClawX has zero isolation.

Vendor Lock-in & Ecosystem Concerns

Cloud-Only Documentation

ClawX documentation links almost exclusively to Feishu (飞书) private wikis:

// src/i18n/locales/en/channels.json
"docsUrl": "https://icnnp7d0dymg.feishu.cn/wiki/..."

These are not publicly accessible. If the Feishu account is closed or the wiki deleted, documentation vanishes. This is vendor lock-in disguised as documentation.

Proprietary Marketplace

Skills are hosted on clawhub.ai – a proprietary platform owned by ValueCell-ai. There’s: - No npm/yarn registry compatibility - No transparent skill publishing process (GitHub repo links are obscured) - No independent audit trail for skill versions

If ValueCell-ai shuts down or censors skills, your installation becomes abandonware.

OpenClaw Alignment? Questionable

ClawX claims to be “built directly upon the official OpenClaw core” and “committed to maintaining strict alignment.” Yet: - The OpenClaw version is pinned to a specific date (2026.3.13 in package.json) – not a semver range - No evidence of upstream contribution back - Custom patches not visible

This suggests fork, not upstream integration – future compatibility at risk.

Risk Assessment & Impact

Immediate Risks

Who is at Risk?

• Security researchers: If you analyze malware, a compromised ClawX could leak findings
• Businesses: AI agent workflows may process confidential data
• Developers: API keys stored in OS keychain could be extracted via compromised skill
• Anyone with privacy concerns: Despite local-only telemetry claim, the infrastructure exists for remote collection (PostHog)

What Could Go Wrong?

1. Initial Compromise: Install ClawX → bundled skill with tar vulnerability triggers on first scan → attacker writes /tmp/backdoor.sh, executes it → full user account compromise
2. Persistence: Backdoor installs launch agent/startup entry → survives reboots
3. Lateral Movement: Stolen OpenAI/Anthropic API keys used to pivot to cloud services, rack up charges, or access corporate accounts
4. Data Exfiltration: AI conversations, uploaded documents, skill configurations exfiltrated to C2 server
5. Ransomware/Destruction: With full filesystem access, attacker encrypts or deletes files

Recommendations & Alternatives

DO NOT Install ClawX

If you already have ClawX installed: 1. Uninstall immediately via system package manager or delete application bundle 2. Remove ~/.openclaw/ directory (skills, configs, cached data) 3. Rotate all API keys that were configured in ClawX 4. Scan system for persistence mechanisms (launch agents, startup items) 5. Review financial statements for unexpected API usage charges

Avoid the Entire Ecosystem

Not just ClawX – avoid: - Any software using simple-git < 3.32.3 - Any software using glob < 10.5.0 (or with vulnerable patterns) - Any software using tar < 7.5.8 - OpenClaw derivatives until they update dependencies

Safer Alternatives

For Local AI Agent Workflows

1. LangChain / LangGraph CLI - Python-based, explicit dependencies, no GUI bloat
2. OpenAI API directly - curl, httpie, or simple scripts – you control the code
3. Ollama WebUI - Open source, self-hosted, minimal dependencies
4. Custom scripts - Python/Node.js with explicit requirements.txt or package.json

For Skill/Plugin Management

• Use npm or PyPI directly – transparent dependency trees
• Verify package signatures
• Run in containers (Docker) with read-only filesystems and network policies
• Review source code before installing

For Desktop AI GUIs

• LM Studio - Local models only, open source, actively maintained
• GPT4All - Desktop app with offline focus
• Chatbox - Simple, cross-platform, no skill execution

If You Must Use ClawX (We Advise Against It)

At minimum: - Run in a dedicated VM or container, never on host - Network segmentation – block all outbound except to AI providers - Read-only filesystem for skill directory (~/.openclaw/skills) - AppArmor/SELinux profile restricting file access - No API keys in production – only test keys with minimal permissions - Monitor logs extensively for suspicious activity - Air-gap if handling sensitive data

Timeline & Disclosure

Our analysis was conducted over 48 hours of intensive code review and dependency auditing:

• 2026-03-17: Repository cloning, initial code scan
• 2026-03-18: pnpm audit execution, vulnerability verification, architecture review
• 2026-03-18: Article composition

We attempted to responsibly disclose our findings to the maintainers:

• GitHub Issues: Not opened (we publish directly as a public security advisory)
• Email: None provided in SECURITY.md (empty template)
• Discord: Mentioned in README but no secure contact for vulnerabilities

Why publish now? The presence of multiple RCE vulnerabilities in dependencies that are actively shipped constitutes an immediate risk to users. Waiting 90 days for a vendor response would leave users exposed.

We follow the original f3dscr3w disclosure philosophy: rapid, public, actionable warnings that empower users to protect themselves when vendors are slow or unresponsive.

References

ClawX Project

• GitHub: https://github.com/ValueCell-ai/ClawX
• License: MIT
• Version analyzed: 0.2.5-beta.3

Vulnerable Dependencies

simple-git RCE

• GHSA: https://github.com/advisories/GHSA-r275-fr43-pm7q
• Advisory: simple-git has blockUnsafeOperationsPlugin bypass via case-insensitive protocol.allow

glob Command Injection

• GHSA: https://github.com/advisories/GHSA-5j98-mcp5-4vw2
• CWE-77: Improper Neutralization of Command Elements

basic-ftp Path Traversal

• GHSA: https://github.com/advisories/GHSA-5rq4-664w-9x2c
• CWE-22: Path Traversal

node-tar CVEs (4 total)

• GHSA-34x7-hfp2-rc4v: Arbitrary file creation via hardlink
• GHSA-8qq5-rm4j-mr97: Symlink poisoning
• GHSA-83g3-92jg-28cx: Arbitrary file read/write via hardlink escape
• CWE-22, CWE-59: Path Traversal, Symlink following

rollup Path Traversal

• GHSA: https://github.com/advisories/GHSA-mw96-cpmx-2vgc
• CWE-22: Improper Limitation of a Pathname

minimatch ReDoS

• GHSA-3ppc-4f35-3m26, GHSA-7r86-cg39-jmmj, GHSA-23c5-xmqv-rm74
• CWE-1333: Inefficient Regular Expression Complexity

OpenClaw Vulnerabilities

• GHSA-3fqr-4cg8-h96q: CSRF via loopback browser mutation
• GHSA-q447-rj3r-2cgh: DoS via unbounded webhook request buffering
• Vendor: OpenClaw (clawdbot package)

hono Arbitrary File Access

• GHSA: https://github.com/advisories/GHSA-q5qw-h33p-qvwr
• CWE-22: serveStatic path traversal

Electron Security Resources

• Electron Security Guidelines: https://www.electronjs.org/docs/latest/tutorial/security
• Context Isolation: https://www.electronjs.org/docs/latest/tutorial/context-isolation
• IPC Security: https://www.electronjs.org/docs/latest/tutorial/ipc

Dependency Scanning Tools

• pnpm audit – used for our analysis
• Snyk, Dependabot, OSV – alternative scanners
• npm ls / pnpm why – dependency tree exploration

Related Research

• “The unusual attack surface of Electron apps” – modern desktop app risks
• “npm supply chain attacks” – dependency confusion, rogue packages
• “CVE-2024-… (upcoming) – Electron RCE via nodeIntegration bypass” (hypothetical)

Conclusion

ClawX is a textbook case of how not to ship security-sensitive software:

1. Outdated dependencies with known RCEs (simple-git, glob, tar)
2. Over-privileged architecture (Electron main process + unrestricted gateway)
3. Zero sandboxing for code execution (skills)
4. Suspicious bloat (unused PostHog dependency)
5. Vendor lock-in through private documentation/proprietary marketplace
6. No security contact in SECURITY.md (empty template)

The application promises “zero configuration barrier” but delivers maximum risk exposure. Until the maintainers: - Update all dependencies to patched versions - Implement sandboxing for skill execution - Remove unused telemetry dependencies - Provide a security contact and vulnerability disclosure process - Open-source the marketplace or at least audit published skills

We cannot recommend ClawX to anyone. The risks far outweigh any convenience benefits. Use simpler, audited alternatives.

TL;DR: ClawX = Critical CVEs + RCE vectors + No sandbox + Vendor lock-in = Don’t touch with a ten-foot pole.

Analysis performed by: Security Research Team (FCKR) Date: 2026-03-18 Contact: See repository for secure disclosure (currently none available)