Pluginv1.1.0

ClawScan security

Dexbox Desktop Control · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 8, 2026, 10:12 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's functionality matches its purpose, but there are notable inconsistencies and risky elements (a curl|sh installer, a configurable server URL that can be pointed off-host, and mismatches between declared requirements and the SKILL.md) that merit caution before installation.
Guidance: This plugin appears to do what it says (control Windows VMs via a dexbox server), but take these precautions before installing or enabling it: - Review the install script before running it. Curl|sh from raw GitHub executes code on your machine; inspect the script or prefer a packaged release. - Keep the plugin's baseUrl set to a local, trusted host (e.g., http://localhost:8600). Do not change it to a remote server you don't control; otherwise screenshots, PowerShell outputs, and RDP passwords will be transmitted to that server. - Be aware that create_desktop requires RDP credentials; only provide secrets if you trust the dexbox server host. - Because the skill can autonomously invoke tools that click, type, and run PowerShell, only enable autonomous use if you trust the skill and limit who/what can call it. - If you need higher assurance, request the upstream project's release artifacts or a signed installer and perform an audit of the install.sh script and the dexbox server implementation.
Findings: [curl_pipe_sh] expected: SKILL.md includes 'curl -sSfL https://raw.githubusercontent.com/getnenai/dexbox/main/install.sh | sh' as an install option. This installs the dexbox binary (expected for purpose) but is a high-risk install pattern (remote script executed locally). [transmit_credentials_to_server] expected: create_desktop accepts 'password' and posts it to the dexbox server. Sending credentials to the dexbox server is required for RDP registration, but it means credentials will be transmitted to whatever baseUrl is configured. [configurable_base_url] expected: openclaw.plugin.json exposes a baseUrl config (default http://localhost:8600). This is necessary to point to your dexbox server, but a non-local baseUrl would cause all interactions (screenshots, commands, credentials) to be routed off-host.

Review Dimensions

Purpose & Capability: noteThe skill's name/description (remote/control Windows VMs via a local dexbox server) matches the code and tools. However, registry metadata lists no required binaries while the SKILL.md declares a required 'dexbox' binary and provides an install command — a mismatch between declared requirements and runtime instructions.
Instruction Scope: concernSKILL.md instructs only dexbox-related actions (start, up, screenshots, PowerShell via 'bash'), which is within expected scope. However it also includes an inline install instruction that pipes a GitHub-hosted script to sh, and the doc's claim that "all data stays between this plugin and the dexbox server on your machine" is only true if the configured baseUrl is local; the plugin allows changing baseUrl, which could cause data (screenshots, RDP passwords, command output) to be sent to an arbitrary server.
Install Mechanism: concernThe recommended install method in SKILL.md uses curl -sSfL https://raw.githubusercontent.com/.../install.sh | sh. Piping a remote script directly to the shell is high-risk because arbitrary code is fetched and executed; although the URL is GitHub raw (better than a random IP/shortener), it's still an unreviewed script executed at install time.
Credentials: noteThe skill declares no required environment variables or credentials in the registry. It does accept sensitive inputs (RDP passwords) which are posted to the configured dexbox server as part of create_desktop. That is appropriate for the described feature, but because the plugin's baseUrl is configurable, supplying credentials while the baseUrl is pointed to a non-local host would result in credential transmission to that host.
Persistence & Privilege: okThe plugin does not request always:true or any special persistent privileges and does not modify other skills. It can be invoked autonomously (platform default) — note that autonomous invocation plus the ability to control VMs and run PowerShell is powerful and should be allowed only if you trust the skill and configuration.