ClawHub
Back to skill

Security audit

OpenClaw Agent Clone

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a real configuration clone tool, but importing a package can overwrite persistent agent files and auto-install package-chosen skills with too little control.

Install only if you understand that clone packages should be treated as trusted code and configuration. Before importing, inspect every filename, identity/rule/tool file, memory block, and listed skill; avoid packages from unknown sources, and expect to reconfigure credentials manually.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (10)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"""安装skill"""
    import subprocess
    try:
        result = subprocess.run(
            ['skillhub', 'install', slug],
            capture_output=True,
            text=True,
Confidence
95% confidence
Finding
result = subprocess.run( ['skillhub', 'install', slug], capture_output=True, text=True, timeout=60 )

Tainted flow: 'filepath' from os.environ.get (line 171, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
def write_file(filepath, content):
    """写入文件"""
    filepath.parent.mkdir(parents=True, exist_ok=True)
    with open(filepath, 'w', encoding='utf-8') as f:
        f.write(content)

def install_skill(slug):
Confidence
91% confidence
Finding
with open(filepath, 'w', encoding='utf-8') as f:

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The export flow claims to filter sensitive information, but only `openclaw.json` is filtered; identity, config, and optional memory files are exported verbatim. Those files can easily contain prompts, credentials, personal data, or tokens, so the tool may exfiltrate sensitive data when users share the generated package.

Intent-Code Divergence

Low
Confidence
86% confidence
Finding
The key-based filter is incomplete because it only redacts values whose field names contain certain keywords. Secrets embedded under innocuous keys, inside strings, nested file contents, or alternative names will pass through, creating a false sense of safety and increasing the risk of sensitive data leakage.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger phrases are broad enough to match common user language such as 'export', 'import', 'clone', or 'clone yourself', which can cause the skill to activate in situations not clearly intended as configuration transfer. In this skill, unintended activation is more dangerous because the described actions include exporting identity/profile data and importing packages that overwrite config and install skills.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Auto-installing missing skills during import creates a supply-chain and privilege-expansion path, especially when the package source may be untrusted or user-provided. The lack of a strong warning or trust model makes users more likely to import packages without understanding that code or capabilities may be added to the agent environment.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The import operation overwrites workspace files from untrusted package content immediately after parsing, with no confirmation, preview, or integrity check. Even with backups, this enables silent replacement of agent identity and configuration files, which can alter behavior, inject hostile instructions, or cause denial of service.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The optional memory import writes `MEMORY.md` from package data without a specific warning about replacing personal or behavioral memory. This can silently poison agent memory with attacker-supplied instructions or overwrite sensitive user-specific context.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Imported package data directly drives external skill installation with no prior warning or approval. In this context, that is especially dangerous because skills are executable extensions; importing a package becomes a mechanism for pulling and running additional untrusted code.

Ssd 3

Medium
Confidence
96% confidence
Finding
The export package explicitly includes identity files, user information, installed skills, and optionally memory, all intended for sharing. Even with secret filtering, these artifacts can contain sensitive personal data, behavioral history, system prompts, internal rules, or operational context that enable privacy loss, impersonation, prompt extraction, or targeted follow-on attacks.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal