ClawHub

openclaw-skill-eeta-audit

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only audit framework for reviewing OpenClaw skills, with scanner hits coming from security-checklist examples rather than active behavior.

This skill is reasonable to install if you want an agent to help review other OpenClaw skills. Treat its output as an audit aid rather than a final security guarantee, and manually confirm any install, removal, or high-impact recommendation before acting on it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Natural-Language Policy Violations

Low
Confidence
76% confidence
Finding
This markdown file is subject to natural-language policy checks. The reference at L660 points specifically to a `/cn/` URL, which implies a Chinese-language resource, but the document does not indicate that this is optional, provide an alternative language, or justify a locale-specific requirement.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
- Vendor-controlled package managers

**Untrusted Sources**:
- Random GitHub repos without verification
- Unofficial mirrors
- Direct download links without checksums
Confidence
75% confidence
Finding
without verification

Tool Parameter Abuse

High
Category
Tool Misuse
Content
# Shell command execution
exec()
eval()
subprocess.run(shell=True)
os.system()
child_process.execSync()
```
Confidence
80% confidence
Finding
subprocess.run(shell=True

Unsafe Defaults

Medium
Category
Tool Misuse
Content
```python
# ❌ DANGEROUS - Certificate validation disabled
import requests
requests.get("https://example.com", verify=False)  # No SSL verification!

# ✅ SAFE - Proper certificate validation
requests.get("https://example.com", verify=True)
Confidence
75% confidence
Finding
verify=False

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal