ClawHub

OpenClaw Security Configurator

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real OpenClaw security and token-monitoring skill, but it handles sensitive local logs and secrets with weak disclosure and unsafe defaults that merit manual review before installation.

Review the shell scripts before installing, run them with the least privileges possible, avoid enabling the background/systemd monitor until the config sourcing and PID-file behavior are acceptable, do not use webhook alerts unless the destination is trusted, and treat payment/model-routing claims as unverified marketing rather than delivered security controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The document expands the skill from a security configurator into payment processing and commercial account activation, which is materially outside the declared scope. This kind of scope drift is dangerous because users may grant trust, permissions, or deployment approval under a security-focused expectation while the skill is positioned to handle financial workflows.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
Token-cost optimization, consumption analytics, and budget management are non-security business functions that exceed the stated role of enterprise security configuration and monitoring. When a security-branded skill quietly broadens into operational and financial analysis, it increases the chance of overcollection of usage data and misuse of trusted security context.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
Documenting three-model intelligent routing as a core capability is inconsistent with a narrowly defined security configuration skill. Routing user tasks across multiple external models can expose prompts, code, and security-sensitive data to additional processors without users expecting that behavior from a security tool.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Payment processing and automatic premium activation are context-inappropriate for a security configurator and create a high-risk trust mismatch. In a security tool context, users may not anticipate financial transaction handling, callback processing, or account-state changes, which can introduce fraud, abuse, and sensitive financial data exposure pathways.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
General token-cost forecasting and budget management are not justified by the declared security purpose and can encourage collection of broad usage telemetry unrelated to security. In a security-branded skill, such unrelated monitoring is especially sensitive because users may assume all data gathering is required for protection rather than business analytics.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Using the skill for development and business-analysis routing exceeds the declared security configuration role and broadens data exposure to non-security contexts. This is risky because a trusted security integration may gain access to code, internal strategy, or other sensitive inputs and forward them to third-party models under an unclear purpose boundary.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The script reveals fragments of sensitive environment variables by printing the first and last characters of secrets. Even partial disclosure can aid secret identification, correlation across systems, or recovery when combined with other leaked context, and this exceeds what is necessary for a security posture check. In a high-privilege enterprise security tool, operators may run it as root, increasing exposure of secrets from privileged environments.

Context-Inappropriate Capability

Low
Confidence
83% confidence
Finding
The token-usage check scrapes and outputs token- or cost-related journal entries, which is not strictly required for validating security configuration and may surface sensitive operational data. While not inherently malicious, it broadens data access and disclosure beyond the stated purpose of configuration hardening. In this skill context, that mismatch makes the behavior more suspicious because the tool is positioned as a security configurator.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The README advertises monitoring, logging, reporting, and webhook alerting but does not warn that these features may collect, persist, or transmit operational and security-sensitive data. In a security-monitoring skill—especially one aimed at financial environments—operators may unknowingly expose token usage, configuration details, or incident metadata to logs and external endpoints, creating privacy, compliance, and leakage risks.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The installation and usage instructions encourage running security and monitoring scripts without upfront disclosure that they may read system configuration, create logs, or write to privileged paths such as /etc, /var/log, and /tmp. In the context of a skill for securing a high-privilege system, undocumented system-impacting actions are dangerous because users may execute commands with elevated privileges without understanding persistence, data exposure, or operational side effects.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill recommends hardening and monitoring operations with administrator privileges but provides no concrete warnings about service disruption, configuration changes, log/data access, or rollback needs. In a security-administration context, that omission can cause unintended system changes or overbroad access to sensitive operational data under the guise of security improvement.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script prints raw token-related log lines to stdout and, through report generation, can persist them into the report file. Logs commonly contain identifiers, prompts, error context, usage metadata, or even secrets; exposing them without sanitization or warning creates an information disclosure risk. Because this tool is meant for enterprise security monitoring, users may trust it and run it in sensitive environments, amplifying the danger.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The generated report includes system details and security assessment results and is written to /tmp, a shared, persistent location on many systems. Even if the filename is somewhat unique, placing sensitive diagnostics in /tmp can expose them to other local users, backup processes, or accidental retention. In a compliance-oriented security skill, storing such data in an insecure location is especially inappropriate.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script can transmit alert content to an arbitrary webhook URL without surfacing that behavior in the CLI/help text, which increases the chance of silent external data egress. In this context, alert messages may contain sensitive operational details from logs, so enabling webhooks can leak internal usage patterns or log-derived content to third parties.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal