ClawHub

OpenClaw Safe Upgrade

Security checks across malware telemetry and agentic risk

Overview

The skill mostly performs an OpenClaw upgrade as advertised, but it also automatically runs workspace code and pushes repository changes without a clear approval step.

Install only if you are comfortable with a script that can modify the OpenClaw installation, restart the gateway, read and restore OpenClaw/acpx configuration, run workspace helper scripts, and push git changes. Safer use would be to run only --check first, inspect or remove workspace hook scripts, and disable the automatic git add/commit/push block before a full upgrade.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill exposes shell execution behavior but declares no permissions, which undermines any permission-based trust or review model. Because the documented workflow runs a privileged upgrade script that can restart services, perform rollback, and invoke optional local scripts, the missing declaration increases the chance of unintended or unreviewed command execution in a sensitive operational context.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The skill description frames the behavior as a safe upgrade helper, but the documented behavior includes additional capabilities such as manual rollback, preflight checks, optional execution of workspace scripts, and notably automatic git add/commit/push after upgrade. That mismatch is dangerous because users and policy systems may authorize an upgrade while being unaware the skill can execute unrelated code from the workspace and make external source-control changes.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The skill is described as an OpenClaw upgrade utility, but after the upgrade succeeds it performs unrelated workspace mutations such as snapshotting and version-control activity. This expands the trust boundary from package upgrade operations to arbitrary user workspace state changes, creating unnecessary risk of unintended data modification or execution of attacker-planted workspace artifacts.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script stages all workspace changes, creates a commit, and attempts a git push to any configured remote, which can exfiltrate sensitive files or publish unintended modifications. For an upgrade skill, pushing to remote repositories is unjustified and especially dangerous because the workspace may contain secrets, generated files, or attacker-influenced content.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The script conditionally executes workspace-local helper programs such as service-quick-check.py and golden-snapshot.sh if they exist. Because these files come from the workspace rather than a trusted, immutable installation path, an attacker who can place or modify them can gain code execution during a privileged/administrative maintenance action.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal