Back to skill

Security audit

Claw Operations Manager

Security checks across malware telemetry and agentic risk

Overview

This skill is an operations dashboard, but it gives broad command, filesystem, snapshot, and web-management authority without enough scoping or protection.

Install only if you intentionally want to grant this skill broad local operations authority. Before using it, bind the dashboard to localhost, add authentication, remove sensitive paths from default monitoring/snapshots, avoid shell aliases for arbitrary commands, review retention of ~/.openclaw audit data and snapshots, and treat rollback as best-effort rather than guaranteed recovery.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (51)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
auditor = AutoAuditedOperation()

    def execute():
        return subprocess.run(
            command,
            shell=True,
            capture_output=True,
Confidence
98% confidence
Finding
return subprocess.run( command, shell=True, capture_output=True, text=True )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def audited_exec(command, **kwargs):
    """exec 工具的自动记录包装"""
    def execute():
        return subprocess.run(
            command,
            shell=True,
            capture_output=True,
Confidence
98% confidence
Finding
return subprocess.run( command, shell=True, capture_output=True, text=True, **kwargs )

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill documentation describes capabilities including shell execution, file read/write, local web serving, and environment interaction, but no explicit permission declaration is provided. This creates a transparency and policy-enforcement gap: operators may approve or install the skill without understanding its effective access level, increasing the chance of misuse or unsafe deployment.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The skill is presented primarily as an operations/audit dashboard, but the content also includes arbitrary shell command execution, shell profile modification, filesystem monitoring, and state-changing web management actions. This mismatch is dangerous because users may trust it as a passive observability tool when it actually enables powerful execution and configuration changes that materially expand attack surface.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The integration guide materially expands the skill from described multilingual operations management into comprehensive interception of OpenClaw tool calls, including exec/read/write. This scope mismatch is dangerous because it encourages deep integration into agent tooling and broad data/command visibility that users may not expect from the advertised feature set.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The documented shell alias and Python wrapper expose a generic command-execution path that can run arbitrary shell commands under the guise of auditing. In a skill marketed as operations management, this broader capability increases the risk of misuse, privilege abuse, and destructive actions beyond expected administrative logging.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script executes the supplied command string with `eval`, which gives it arbitrary command-execution capability rather than acting as a passive audit wrapper. In an operations-management skill, this is especially dangerous because the wrapper is positioned as a trusted control point; any caller that can influence the command string can execute shell metacharacters, chained commands, substitutions, or destructive payloads with the user's privileges.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The audited_exec helper exposes arbitrary shell command execution that is broader than the stated auditing/management purpose. Logging and permission checks do not eliminate the risk, because the code still permits a wide range of commands and only heuristically derives a target path from command text, which is easy to evade.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The auto-snapshot list includes highly sensitive locations such as ~/.ssh, /etc/ssh, and /etc/sudoers.d, causing the skill to copy credential and privilege-management material during ordinary operations. This materially increases exposure by duplicating secrets and privileged configuration into snapshot storage, potentially creating a new high-value target and enabling rollback abuse.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
This audit wrapper adds a general-purpose command execution primitive (`audited_exec`) that is broader than necessary for a logging/snapshot/audit component. In agent environments, unnecessarily broad capabilities increase the blast radius of prompt injection, tool misuse, or policy bypass because a component intended for oversight also becomes an execution surface.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The module is presented as an automatic audit-logging wrapper, but it directly implements command execution and file mutation. This mismatch in stated purpose versus actual capability can mislead operators and reviewers, causing them to grant trust to a component that has stronger, potentially dangerous side effects than expected.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The initialization script creates a default configuration with `permissions.default_policy` set to `allow` and also inserts broad allow rules such as `allow-read-ops` and especially `log-all-ops` with wildcard matches. In an operations-management skill that includes monitoring, rollback, and permission management, seeding permissive defaults can turn the audit system into an authorization bypass or unsafe control plane where sensitive actions are allowed unless explicitly denied.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The permission-checking function is purely advisory: it returns an allow/deny decision but does not enforce that decision anywhere in this module, and it defaults to allow when no rule matches. In an operations-management skill that advertises permission management and mistake prevention, fail-open advisory checks can create a false sense of protection and allow unauthorized actions if callers forget or choose not to enforce the result.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The monitor defaults to watching highly sensitive locations such as /etc/ssh, /etc/sudoers, and SSH-related home directories, which goes beyond a typical operations-management auditing scope and creates visibility into credential and privilege-management activity. In this skill context, that is more dangerous because the tool is marketed as broad operational oversight with automatic logging, so users may enable it without realizing it captures security-sensitive filesystem events.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The code advertises restore and rollback capabilities but does not actually restore any files; it only returns placeholder messages and prints advisory text. In an operations tool, this can create a false sense of recoverability, causing operators to rely on backups or rollback paths that do not exist during an incident.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
When no paths are provided, snapshot creation recursively scans the entire home directory, collecting metadata and hashes for all readable files. That exceeds the stated OpenClaw operations scope and can inventory sensitive personal, corporate, and credential-related material, increasing privacy and security exposure if the database is accessed or misused.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The automatic snapshot routine explicitly includes ~/.ssh and /etc/ssh/sshd_config, which are highly sensitive and not necessary for ordinary operations-management auditing. Even though the code stores metadata and hashes rather than file contents, enumerating these files and recording their presence, timestamps, sizes, and hashes can expose infrastructure details and support targeted attacks.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
This server exposes administrative endpoints to create and delete permission rules, yet there is no authentication, authorization, or origin protection anywhere in the HTTP handler. Because the service binds to 0.0.0.0, anyone with network access can modify policy and potentially weaken or disable protections, which is especially dangerous in an operations-management skill.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The setup flow expands an 'operations management/audit' skill into a general-purpose command execution wrapper by installing aliases and Python helpers that encourage arbitrary shell execution. Including destructive examples like 'rm -rf' normalizes high-risk use and increases the chance that users route sensitive or dangerous commands through an unreviewed wrapper with unclear security properties.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The script does more than 'enable automatic recording': it starts a persistent local web server and later offers shell profile modification, which are materially different side effects from the advertised setup action. Undisclosed persistence and shell-environment changes reduce informed consent and can expose additional attack surface on the local machine.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The restore logic reconstructs destination paths as absolute filesystem locations and writes snapshot contents outside the repository, which can overwrite arbitrary user files under matched system paths. In an operations-management skill that advertises one-click rollback, this is especially dangerous because a normal restore action can unexpectedly modify the live system rather than an isolated workspace.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The document normalizes destructive commands such as file deletion and implies rollback makes them safe, but it does not warn that git-based snapshots may be incomplete, misconfigured, or unable to restore all data. This can mislead users into running destructive operations under a false sense of safety, increasing the chance of irreversible data loss.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The examples prominently include destructive commands like rm -rf without warnings, dry-run guidance, or confirmation requirements. This normalizes dangerous usage and can lead users or downstream agents to copy-paste irreversible file-deletion commands into production environments.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The metadata promises automatic git-based snapshots and rollback for every operation but does not disclose that snapshots can retain sensitive file history, deleted content, or repository-side artifacts beyond the user's expectations. In an operations/audit skill, this omission can cause users to enable broad monitoring without understanding the data retention and privacy consequences, increasing the risk of unintended exposure during rollback, inspection, or repository access.

Natural-Language Policy Violations

Medium
Confidence
78% confidence
Finding
The text states that commands are automatically translated/described in Chinese without presenting language selection, opt-in, or user control. In a multilingual operations tool, forced translation can mislead users, obscure critical command semantics, and create consent/privacy issues if operational data is transformed or displayed in an unexpected language.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.