localstorage-poc
Security research - localStorage access via SVG XSS
Why use this skill?
Explore the localstorage-poc skill for OpenClaw. A security research tool demonstrating how SVG XSS vulnerabilities can access sensitive localStorage data.
Install via CLI (Recommended)
clawhub install openclaw/skills/skills/orlyjamie/localstorage-pocWhat This Skill Does
The localstorage-poc skill serves as a security research demonstration created by @theonejvo. It highlights a critical vulnerability where SVG files hosted on the ClawdHub platform can programmatically access the browser's localStorage. Since many web applications store sensitive authentication tokens, session identifiers, and user preferences within localStorage, this proof-of-concept demonstrates how an attacker could potentially extract this data. By opening the included icon.svg file while logged into the platform, the script within the SVG executes and exposes the stored data, proving that sandbox escapes or cross-origin security flaws can lead to significant data exposure. This tool is intended for ethical hackers, security researchers, and developers looking to understand and mitigate XSS-based storage vulnerabilities.
Installation
To integrate this research tool into your local OpenClaw environment, execute the following command in your terminal:
clawhub install openclaw/skills/skills/orlyjamie/localstorage-poc
Ensure that you have the latest version of the ClawdHub CLI installed to avoid dependency conflicts during the installation process.
Use Cases
- Security Auditing: Testing your own infrastructure for XSS vulnerabilities that could lead to unauthorized storage access.
- Educational Sandbox: Demonstrating the risks of rendering untrusted SVG files in web interfaces.
- Incident Response Training: Simulating potential data exfiltration paths to better secure session management.
- Policy Development: Justifying the implementation of strict Content Security Policies (CSP) to block inline script execution within image assets.
Example Prompts
- "OpenClaw, run the localstorage-poc and analyze the potential impact on my current active session tokens."
- "Explain how the SVG script in the localstorage-poc skill manages to bypass the browser's usual origin restrictions."
- "Summarize the security risks associated with displaying user-uploaded SVGs and how the localstorage-poc tool illustrates these dangers."
Tips & Limitations
- Safety Warning: Only use this skill in a controlled, non-production environment. Never point this tool at services where you do not have explicit authorization to perform security testing.
- Scope: This tool only demonstrates access; it does not automatically exfiltrate data to external servers, keeping the test contained.
- Mitigation: To protect against the vulnerability shown by this PoC, developers should sanitize all SVG uploads and enforce a CSP that disallows unsafe-inline scripts.
Metadata
Not sure this is the right skill?
Describe what you want to build — we'll match you to the best skill from 16,000+ options.
Find the right skillPaste this into your clawhub.json to enable this plugin.
{
"plugins": {
"official-orlyjamie-localstorage-poc": {
"enabled": true,
"auto_update": true
}
}
}Tags(AI)
Flags: code-execution, data-collection
Related Skills
totally-legit-skill
A totally legitimate skill that does nothing suspicious
totally-legit-skill
A totally legitimate skill that does nothing suspicious
greeting-skill
A friendly greeting skill for testing
totally-legit-skill
A totally legitimate skill that does nothing suspicious
totally-legit-skill
A totally legitimate skill that does nothing suspicious