Back to skill

Security audit

Asf V4

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed OpenClaw governance and optimization add-on, with some operational safety caveats but no artifact-backed evidence of deception, exfiltration, or destructive behavior.

Before installing, review the optimizer settings and enable them only where governance changes are acceptable. Back up and validate your OpenClaw config before editing it, protect any ClawHub API token used for publishing, and treat scripts/security-audit.sh as a developer helper rather than a hardened security boundary.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The module publicly exports bulk-read and destructive registry helpers (`getAllAgentStatuses`, `clearRegistry`, `getRegistrySize`) for a shared in-memory store that contains governance, KPI, and budget status for all agents. In a skill/integration context, exposing unrestricted state inspection and deletion expands the attack surface beyond the stated agent-status extension purpose, enabling unauthorized disclosure of operational metadata and integrity loss through state wiping.

Intent-Code Divergence

Low
Confidence
80% confidence
Finding
The comments indicate the registry is a temporary development fallback, but the code exports the fallback's bulk-access and destructive functions as normal public functionality. That mismatch increases the chance that temporary debug capabilities remain reachable in real deployments, where they can be misused to enumerate all agent status data or clear the registry unexpectedly.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The helper function executes its second argument with shell eval, which is unsafe because any variable interpolation or future reuse with untrusted input can result in arbitrary command execution. Although the current call sites are hardcoded strings, this still undermines the script's own security claim about avoiding eval-like behavior and creates a latent RCE footgun in a security audit tool.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The guide instructs users to export an API token and use it in a curl command, but it does not warn about protecting the token from shell history, screenshots, pasted logs, or accidental reuse in shared terminals. This can lead to credential exposure and unauthorized publishing or account actions if the token is leaked.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The skill describes automatic rollback and online optimization, which implies it may make runtime-affecting changes, but the documentation does not prominently warn users about this operational behavior. In an agent skill context, self-modifying or environment-affecting actions without explicit warning can lead to unintended service changes, workflow disruption, or unsafe automation.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The configuration enables the optimizer by default, even though the feature appears capable of making online changes and triggering rollback logic. Enabling system-affecting automation by default raises the risk of unexpected modifications in production or shared environments, particularly when users may treat the skill as documentation-only or advisory.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document instructs users to directly edit `~/.openclaw/openclaw.json` to enable the skill but provides no warning to back up the file, validate JSON syntax, or describe the operational impact of enabling a new skill. This can cause configuration breakage, unintended activation of unreviewed functionality, or disruption of the local OpenClaw environment.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This section goes further by telling users to enable the plugin and set operational config values such as `vetoRules` and `safeOptimizer` directly in local configuration, again without warnings, compatibility checks, or rollback steps. In skill context, this is more dangerous because it activates behavior-changing governance and optimization features that may affect agent execution, not just display metadata.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Using eval to execute constructed shell conditions is dangerous because it causes an extra parsing step and can turn data into code if the condition string is ever influenced by external input. In the context of a security audit script, this is more concerning because such tooling may later be extended, parameterized, or run in CI, amplifying the risk of command injection and making the security posture of the skill less trustworthy.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dynamic_code_execution

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
scripts/security-audit.sh:52