Back to skill

Security audit

OpenClaw 升级前影响评估工具

Security checks across malware telemetry and agentic risk

Overview

The skill mostly performs upgrade-impact analysis and workspace report/backup writes, but it asks for exec capability and includes an update-execution example that conflicts with its stated advisory-only boundary.

Review this before installing because it is mostly an advisory backup/reporting skill, but its instructions and metadata blur into command execution for upgrading OpenClaw. Only use it where workspace report and backup writes are acceptable, avoid committing generated backups or reports if they contain configuration details, and do not allow the exec-based upgrade example to run unless you explicitly intend to modify the host OpenClaw installation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (7)

Intent-Code Divergence

Medium
Confidence
85% confidence
Finding
The documentation explicitly says the skill does not perform updates, yet an example immediately chains analysis into an actual upgrade action. Even if shown as an example, this normalizes using the skill in an update-execution workflow and undermines the stated safety boundary. Users may follow the example without appreciating that installation or upgrade commands can materially change the system.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
The documentation introduces shell command execution (`openclaw.exec`) to perform a global package upgrade, which exceeds the stated scope of analysis, compatibility checking, and backup. Shell execution materially increases risk because it can modify the host environment and may be copied by users or incorporated into automation without proper review. In an upgrade-assistant context, this blurs the boundary between advisory and execution behavior.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The README advertises automatic backup and report generation and notes read/write permissions later, but it does not clearly foreground that the skill will create files and directories in the workspace by default. In an agent/skill context, insufficient disclosure around automatic filesystem writes can lead users to invoke the skill without understanding side effects, increasing the risk of unintended data modification, storage consumption, or exposure of sensitive configuration data in generated reports/backups.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill promises automatic backup and report generation without prominently warning that it writes files into the workspace by default. Silent or default writes can overwrite expected layouts, consume storage, expose sensitive configuration snapshots, or create artifacts that are later committed or shared. Because backups often contain sensitive configuration data, undisclosed default writes are more dangerous than ordinary report output.

Unpinned Dependencies

Low
Category
Supply Chain
Content
"author": "潜助 🤖",
  "license": "MIT",
  "dependencies": {
    "fs-extra": "^11.1.1",
    "node-fetch": "^2.6.9",
    "semver": "^7.5.4"
  },
Confidence
89% confidence
Finding
"fs-extra": "^11.1.1"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"license": "MIT",
  "dependencies": {
    "fs-extra": "^11.1.1",
    "node-fetch": "^2.6.9",
    "semver": "^7.5.4"
  },
  "engines": {
Confidence
89% confidence
Finding
"node-fetch": "^2.6.9"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"dependencies": {
    "fs-extra": "^11.1.1",
    "node-fetch": "^2.6.9",
    "semver": "^7.5.4"
  },
  "engines": {
    "node": ">=18.0.0"
Confidence
87% confidence
Finding
"semver": "^7.5.4"

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access, suspicious.exposed_secret_literal

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
index.js:24

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
node_modules/whatwg-url/lib/url-state-machine.js:691