Clawzempic

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed OpenClaw efficiency audit tool that reads local or chosen remote OpenClaw state and prints findings, with no evidence of hidden persistence, data exfiltration, or destructive behavior.

Install only if you want an OpenClaw diagnostic that can read OpenClaw configuration, cron names, session metadata, and transcript file sizes. Before running it, verify any --dir path or --remote host, use an authorized low-privilege account for remote audits, and review reports before sharing them because they may reveal operational details.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 85% confidence
Finding: The skill advertises and instructs local filesystem auditing behavior but does not declare corresponding permissions, which creates a transparency and consent gap for users and platform enforcement. In a security-sensitive agent environment, undeclared file-read capability can lead to overbroad inspection of local OpenClaw data, configs, transcripts, and workspace files beyond what a user may reasonably expect.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 93% confidence
Finding: The declared description frames the skill as a local efficiency audit, but the content also exposes remote execution over SSH and fix/remediation behavior that materially expands its operational risk. That mismatch can cause users or orchestration systems to grant trust appropriate for a passive diagnostic tool while actually invoking actions on another host or generating commands that may change system state.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The remote mode states that the skill uses SSH to execute the audit on the target, but it does not prominently warn that commands will run on another machine and may access sensitive configuration, transcript, and session data there. In context, this is more dangerous because the skill is intended for infrastructure auditing, where remote targets are likely real production or VM environments and the implied trust can lead to unintended command execution on the wrong host.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill offers a --fix mode as 'automated fix suggestions' without clearly distinguishing whether it only recommends commands or may perform modifications, creating ambiguity around system-changing behavior. In an ops/audit context, users may invoke remediation expecting a read-only report and inadvertently alter configs, cron behavior, or other OpenClaw state.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: When --remote is used, the script immediately execs SSH and streams the local script to the remote host without any explicit warning, confirmation, or preview of the action. In an agent skill context, hidden remote execution increases the chance that a user or higher-level automation triggers networked code execution on the wrong host or without understanding trust boundaries.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal