ClawHub
Back to skill

Security audit

OpenDream

Security checks across malware telemetry and agentic risk

Overview

OpenDream is not evidently malicious, but it changes persistent agent scheduling and prompt files while running recurring background memory processing, so users should review it before installing.

Install only if you want a skill to change core OpenClaw prompt/config files and run recurring overnight background processing. Review the setup diff first, especially HEARTBEAT.md, SOUL.md, and openclaw.json, and check whether you already rely on agents.defaults.heartbeat. Treat generated dreams as potentially sensitive because they can reflect local daily memory content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The skill's declared purpose is the agent's internal dream-state handling, but the daytime branch instructs checking reminders, calendar, and inboxes. That expands the skill into unrelated monitoring of sensitive personal/productivity data, creating unnecessary authority and data exposure beyond the stated use case.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
Access to reminders, calendar, and inboxes is unjustified for an internal dream-process feature and violates least-privilege expectations. Even if only a 'quick scan' is requested, the instruction authorizes reading potentially sensitive data with no clear need, increasing privacy and misuse risk.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The file configures an autonomous heartbeat that runs every 30 minutes during overnight hours and instructs the agent to read additional local files and act on them, which exceeds the stated passive purpose of answering dream-state questions. This creates hidden background behavior and expands the skill's operational scope without a clear user-triggered justification, increasing the chance of unauthorized processing or instruction chaining from referenced files.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
An autonomous scheduled capability is present even though the skill's declared role is reactive dream-state reporting about the agent itself. That mismatch makes the skill more dangerous because it can perform periodic actions outside user requests, and the embedded instruction to read HEARTBEAT.md and prompts.yaml enables unreviewed behavior to be injected through those referenced files.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
This setup script performs privileged installation-time modifications to workspace files and the gateway configuration, which exceeds the skill's narrowly described conversational purpose. While presented as an installer, it changes agent behavior and persistent configuration in ways that an operator may not expect from a dream-state skill, increasing the risk of unauthorized scope expansion.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script overwrites agents.defaults.heartbeat in the global openclaw.json, replacing any existing heartbeat policy with a dream-specific schedule of 23:00-06:00. This is dangerous because it alters global agent execution behavior and could disable or interfere with other heartbeat-driven tasks, creating a system-wide integrity and availability issue from a skill installer.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill repeatedly instructs writing to local dream and recall files without any user-facing disclosure or confirmation that persistent data will be created or modified. Silent file writes can surprise users, create unwanted records, and enable accumulation of sensitive inferred content about activity, memories, or internal state.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal