ClawHub
Back to skill

Security audit

SolCal Recovery

Security checks across malware telemetry and agentic risk

Overview

This is a real OpenClaw recovery toolkit, but it makes high-impact system changes and copies sensitive credentials with too little control or warning.

Review before installing. Use only if you are comfortable with scripts that can install software, start and stop OpenClaw, delete logs and session directories, and copy a GitHub token into backups. Prefer running diagnostics first, inspect scripts before any repair/reset path, avoid backing up secrets unless encrypted and access-restricted, and do not run the curl-piped installer path without independent verification. VirusTotal and the static scan were clean, so this is not classified as malicious, but the artifact-backed operational risk warrants Review.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
Findings (28)

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The skill is presented as a beginner-friendly repair toolkit, but the described behavior includes software installation/reinstallation, process termination, destructive reset flows, backup/restore of sensitive material such as skills and a GitHub token, and external network calls including curl-piped shell installation. That mismatch is dangerous because users may authorize a seemingly routine repair skill without understanding that it can modify the system extensively, exfiltrate or mishandle secrets, and execute downloaded code.

Scope Creep

High
Confidence
97% confidence
Finding
The script performs an outbound network request with curl to api.minimax.io even though the skill manifest declares only shell.exec, file.read, and file.write permissions. This creates hidden network behavior that users and policy systems cannot accurately evaluate, and in an agent context undeclared egress can expose environment details or enable unreviewed external communications.

Scope Creep

Critical
Confidence
99% confidence
Finding
The script downloads and installs Ollama from the network without any declared network permission, combining undeclared egress with software installation. In a recovery skill with shell execution rights, this is especially dangerous because it expands the host's trust boundary and can introduce arbitrary code from a remote source during troubleshooting.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The function prompts the user for an API key but never persists the entered secret, despite claiming to configure API keys. This mismatch is dangerous because it trains users to disclose sensitive credentials to a script that does not complete the intended secure storage flow, increasing risk of accidental exposure, misuse in future revisions, or unsafe manual handling.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script automatically installs Ollama and pulls a model, which goes beyond a guided repair assistant and introduces undeclared external side effects. This is dangerous because running the skill can change the host environment and fetch untrusted remote content without explicit user consent or a clearly declared network/install capability.

Scope Creep

High
Confidence
97% confidence
Finding
The script performs network-backed installation and model retrieval, but the declared permissions only include shell execution and file access. This mismatch is dangerous because users and policy systems may approve the skill under false assumptions while it still reaches out to the network, downloads code, and modifies the system.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The script goes beyond diagnostics and recovery by conditionally installing software via Homebrew or npm. In a skill with only shell/file permissions and no explicit package or network installation scope, this expands the attack surface and can unexpectedly modify the host system or pull untrusted code during a repair action.

Scope Creep

High
Confidence
97% confidence
Finding
The script invokes package managers to install software without a corresponding declared permission for package/network/system installation. This is dangerous because a recovery script can silently fetch and execute remote packages, creating supply-chain risk and violating least-privilege expectations for the skill.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The script explicitly copies a GitHub access token into a backup directory, increasing the number of stored secret copies and broadening exposure if the backup is later read, synced, or shared. In a repair/backup skill with file read/write and shell execution, persisting credentials is especially risky because the backup location may not have equivalent access controls or user awareness.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README promotes an 'Emergency Repair' as a 'nuclear option' that resets the environment, but it does not explicitly warn users about possible data loss, overwritten state, or irreversibility before encouraging execution. In a beginner-focused recovery toolkit with shell execution permissions, this omission can lead users to run destructive commands without understanding the consequences.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README states that backups include a GitHub token but gives no warning that this is a sensitive credential which should be encrypted, access-restricted, or excluded from backups by default. Storing tokens in backup folders under a home directory increases the risk of credential exposure through local compromise, accidental sharing, or insecure backup handling.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README suggests disabling the firewall with `sudo pfctl -d` as a troubleshooting step without clearly warning that this reduces host network protections and may expose services unnecessarily. Because this is a repair guide for potentially non-expert users, they may execute the command without understanding the security tradeoff or re-enabling protections afterward.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill advertises 'Restore' and 'Emergency Reset' capabilities, including a 'nuclear option,' without an explicit warning about data loss, service interruption, or system changes. In a recovery context this is especially risky because distressed users are more likely to run automated fixes quickly, increasing the chance of unintended destructive actions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The auto_repair path triggers installation, service start, and credential configuration actions immediately, without asking for explicit confirmation. In a repair tool with shell.exec permission, this can cause unexpected system changes, package installation, or service activation that the user did not intend, increasing operational and security risk.

Missing User Warnings

High
Confidence
99% confidence
Finding
The script executes a remote installer via curl piped directly to sh, without a strong warning or verification step. This pattern allows any compromise of the remote server, CDN, DNS, or transport path to become immediate arbitrary code execution on the host.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script collects system status from `openclaw gateway status` and sends it to Ollama without warning the user that potentially sensitive operational data will be shared. Even if Ollama is local in some setups, the script does not verify locality or obtain consent, so environment details may be disclosed unexpectedly.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script deletes log files automatically with no confirmation, backup, or warning about data loss. In a recovery context, logs are often needed for forensic analysis and troubleshooting, so deleting them can hinder incident response and obscure root-cause investigation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script deletes the existing session directory unconditionally before restoring from backup, with no warning, prompt, or safety checks. In a recovery tool with shell execution and file write permissions, this can cause irreversible data loss if the backup path is wrong, incomplete, stale, or attacker-controlled.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script saves the GitHub token and reports success without a prominent warning that sensitive credentials were copied, which can mislead users into treating the backup as ordinary diagnostic data. That increases the chance the backup will be uploaded, transferred, or stored insecurely, exposing repository access tied to the token.

Session Persistence

Medium
Category
Rogue Agent
Content
echo "💾 Saving Sol state..."
echo "Backup location: $BACKUP_DIR"

mkdir -p "$BACKUP_DIR"

# Save config
if [ -f "$CONFIG_FILE" ]; then
Confidence
83% confidence
Finding
mkdir -p "$BACKUP_DIR" # Save config if [ -f "$CONFIG_FILE" ]; then cp "$CONFIG_FILE" "$BACKUP_DIR/openclaw.json" echo "✓ Config saved" fi # Save sessions if [ -d "$SESSIONS_DIR" ]; then

Session Persistence

Medium
Category
Rogue Agent
Content
# Save secrets (token only)
if [ -f ~/.openclaw/workspace/secrets/github-token.txt ]; then
    mkdir -p "$BACKUP_DIR/secrets"
    cp ~/.openclaw/workspace/secrets/github-token.txt "$BACKUP_DIR/secrets/" 2>/dev/null || true
    echo "✓ GitHub token saved"
fi
Confidence
98% confidence
Finding
mkdir -p "$BACKUP_DIR/secrets" cp ~/.openclaw

External Script Fetching

High
Category
Supply Chain
Content
if command -v brew &> /dev/null; then
            brew install ollama
        else
            curl -fsSL https://ollama.ai/install | sh
        fi
    fi
Confidence
99% confidence
Finding
curl -fsSL https://ollama.ai/install | sh

External Script Fetching

High
Category
Supply Chain
Content
# Check Ollama
if ! command -v ollama &> /dev/null; then
    echo "Installing Ollama..."
    curl -fsSL https://ollama.ai/install | sh
fi

# Pull model if needed
Confidence
99% confidence
Finding
curl -fsSL https://ollama.ai/install | sh

Chaining Abuse

High
Category
Tool Misuse
Content
if command -v brew &> /dev/null; then
            brew install ollama
        else
            curl -fsSL https://ollama.ai/install | sh
        fi
    fi
Confidence
99% confidence
Finding
| sh

Chaining Abuse

High
Category
Tool Misuse
Content
# Check Ollama
if ! command -v ollama &> /dev/null; then
    echo "Installing Ollama..."
    curl -fsSL https://ollama.ai/install | sh
fi

# Pull model if needed
Confidence
99% confidence
Finding
| sh

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal