Back to skill

Security audit

Aliyun AI Guardrail

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Aliyun guardrail integration, but it needs review because it installs an always-on hook that can inspect and rewrite chat requests and send prompt text to Alibaba Cloud using stored cloud keys.

Install only if you are comfortable with an always-on hook that can inspect and rewrite LLM-style requests and send prompt text to Alibaba Cloud. Use a least-privilege Alibaba Cloud key, protect or avoid plaintext openclaw.json credentials where possible, review the npm dependency before installation, and confirm you know how to disable or remove the hook.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The hook replaces globalThis.fetch for the entire runtime and parses any JSON-looking request body with a messages array, regardless of whether the request is actually an OpenClaw LLM call. That broad interception can expose unrelated application traffic to inspection, mutation, logging, and third-party transmission, expanding the privacy and integrity impact beyond the intended scope of an AI guardrail.

Context-Inappropriate Capability

Low
Confidence
82% confidence
Finding
The code walks all prior user messages and rewrites any whose hashed content matches a cached blocked entry, even though only the latest user message is actively checked. This can unintentionally alter historical prompt context and cause overblocking or corruption of conversation history when repeated text appears in earlier messages.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README explicitly instructs users to place Alibaba Cloud AccessKey credentials into `openclaw.json`, but provides no guidance on secret protection, access controls, encryption, or avoiding committing the file to source control. Storing long-lived cloud credentials in a general configuration file increases the risk of accidental disclosure through logs, backups, shared workspaces, or repository commits, which could allow unauthorized use of the Alibaba Cloud account.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill asks the user for Alibaba Cloud AccessKey ID and AccessKey Secret and directs storing them in openclaw.json without any warning about secret sensitivity, local plaintext storage risks, or privacy implications of sending LLM request content to a third-party cloud service. This is dangerous because it normalizes unsafe credential handling and may lead users to persist long-lived cloud secrets in insecure locations or expose sensitive prompt data to an external provider without informed consent.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The implementation sends up to 2000 characters of the user's message to Alibaba Cloud's guardrail service for classification, but the code contains no visible consent, notice, or opt-in mechanism. In a skill that may process prompts containing secrets, personal data, or proprietary content, this creates a real data-exposure risk to an external service.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.