Openclaw Config Master

Security checks across malware telemetry and agentic risk

Overview

This looks like a legitimate OpenClaw configuration helper, but some examples and scripts could expose chat access, collect sensitive prompt/message data, or delete backups without enough safeguards.

Install only if you intend to let an assistant help manage OpenClaw Gateway configuration. Review every proposed patch before applying it, avoid open group policies unless intentional, keep secrets in environment variables or a secrets provider, leave prompt/message/system-content diagnostics off except for short controlled debugging, and preview backup deletion or restore operations before running them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (7)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 83% confidence
Finding: The skill instructs use of shell and file-reading capabilities but does not declare permissions, which weakens transparency and policy enforcement around what the skill can access. In a config-management skill, these capabilities are plausible, but undeclared access can lead to unexpected reading of sensitive config, logs, or secrets-related files and makes review harder.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 91% confidence
Finding: The skill's declared purpose is configuration editing/validation, but the observed behavior includes backup rotation, restore flows, filesystem mutation, deletion, and migration checks outside that scope. This mismatch is dangerous because operators may trust the skill for low-risk config advice while it actually enables broader state-changing operations that can alter or destroy files and affect recovery paths.

Context-Inappropriate Capability

Medium

Confidence: 79% confidence
Finding: The retention feature deletes files automatically using a broad file match inside a user-controlled backup directory. While intended to prune old backups, this can remove unintended files matching the pattern, especially if the directory is misconfigured, shared, or contains symlinks/hardlinks or manually placed similarly named files. In a config-management skill, destructive file deletion increases risk because the stated purpose is editing/validation, not cleanup of arbitrary filesystem contents.

Intent-Code Divergence

Medium

Confidence: 90% confidence
Finding: The script advertises validation for OpenClaw config formats including JSON5, but its syntax check uses Python's standard json module, which rejects JSON5 features such as comments and trailing commas. In a configuration-management skill, this mismatch can cause valid configs to be incorrectly rejected or encourage operators to bypass validation, weakening trust in the tool and potentially letting real misconfigurations slip through.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The header claims the script validates syntax, structure, required fields, and field values, but the implementation performs mostly existence/readability/size/permission checks and a generic 'openclaw doctor' call. In this skill's security-sensitive context, overclaiming validation can create a false sense of safety, causing insecure or broken gateway settings to be accepted without proper schema or policy checks.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The document instructs users to grep Gateway logs for message sender identifiers, which can expose user IDs and other message metadata to anyone with log access. Because it omits any warning about retention, access control, or redaction, it encourages operational practices that may leak sensitive identifiers during troubleshooting.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The diagnostics example enables collection of messages, prompts, and system information in tracing, which can capture secrets, personal data, and sensitive internal context. Presenting this as a normal configuration example without strong warnings or compensating controls materially increases the risk of sensitive data exposure through logs, tracing backends, or support workflows.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal