Openclaw Expert

Security checks across malware telemetry and agentic risk

Overview

This documentation skill appears purpose-built for OpenClaw support, but some examples could lead users or agents to run unverified remote code, store secrets unsafely, or persist/export sensitive data without enough warning.

Install only if you specifically need OpenClaw administration help and will review commands before running them. Prefer package-manager or signed-release installs over curl-to-shell snippets, avoid placing real tokens in config examples, restrict broad triggers if possible, and treat memory, embeddings, webhooks, and logging integrations as potentially sensitive data flows.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger

Findings (22)

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The example states that host access is 'vollständig blockiert' / completely blocked, but the container mounts ./data into /home/openclaw/.openclaw without a read-only flag. That means the agent can still modify host-backed files in that mounted path, so the documentation overstates the isolation boundary and could lead operators to grant more trust than is warranted.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The documentation shows plaintext token and secret examples directly inside configuration blocks, including bot tokens, app tokens, and environment variables embedded under `env`. Even if intended as placeholders, this normalizes storing sensitive credentials in config files and increases the risk that operators paste real secrets into files that may be committed, backed up, or exposed through support bundles and workspace access.

Missing User Warnings

Low

Confidence: 72% confidence
Finding: The file documents automatic hot-reload and restart behavior without clearly warning that edits can take effect immediately on a running gateway. In a live deployment, administrators may unknowingly apply insecure channel, auth, routing, or tool changes instantly, causing unintended exposure or disruption.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The document says a gateway token is generated and written into `.env`, but it does not tell users to treat that value as a secret, avoid committing it, and restrict file permissions. In an agent/gateway context, this token likely grants administrative or session access, so accidental disclosure through source control, backups, logs, or shared workspaces could expose the service.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The shell-helper instructions download a script directly from GitHub and then persistently source it from `~/.zshrc`, causing code from a remote location to execute in every future shell session. If the upstream repository, branch, transport path, or local file is tampered with, this becomes persistent arbitrary code execution on the user's machine.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The documentation recommends piping a remote installer directly into bash with no warning or verification step. This is dangerous because users may execute unreviewed code from a network source, and any compromise of the hosting endpoint, DNS, TLS trust, or distribution pipeline turns the docs into a code-execution vector.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: This example fetches and executes a remote setup script with sudo/root privileges and provides no safety warning. Executing network-fetched code as root dramatically increases blast radius because a compromised script can install persistence, alter system configuration, or exfiltrate secrets from the host.

Missing User Warnings

Medium

Confidence: 99% confidence
Finding: The guide recommends piping a remotely fetched script directly into `sudo bash`, which executes unreviewed network content with root privileges. If the upstream repository, transport path, or account is compromised, users could install arbitrary malicious code immediately on their host.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The examples show placing API keys directly on the command line or in config without warning that shell history, process listings, logs, and plaintext config storage may expose credentials. In an installation guide for an agent framework that handles provider secrets, this normalizes unsafe secret handling and increases the chance of credential leakage.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The document describes an automatic, silent memory flush that writes session-derived information to disk with a default `NO_REPLY`, meaning users may not realize potentially sensitive conversation content is being persisted. In an AI agent framework, silent persistence of user/session data without explicit notice or consent creates a real privacy and data-governance risk, especially when sessions may contain secrets or personal information.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The configuration allows use of remote embedding providers for memory search, which implies memory content or snippets may be transmitted to third-party APIs, but the document does not clearly warn about this data flow. Because the feature operates on stored memory and extra paths, users or operators could unintentionally send sensitive internal notes, transcripts, or workspace content to external services.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The document recommends sending "jede Interaktion" to Supabase as a logging backend, but does not mention consent, data minimization, retention, or the possibility that prompts/responses may contain secrets or personal data. In an agent framework context, this can normalize exporting sensitive conversation data to a third-party service without adequate privacy review, increasing risk of unintended disclosure and compliance issues.

Missing User Warnings

Low

Confidence: 80% confidence
Finding: The webhook integration section encourages sending and receiving data via network endpoints but omits a warning that user content may leave the local system and traverse external services. In the OpenClaw context, webhooks can carry agent outputs, prompts, and metadata, so the missing warning could lead operators to expose user data or automation flows without authentication and privacy safeguards.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The manifest defines many broad triggers such as "gateway", "models", "skills", "agents", "memory", and "troubleshooting", which are common terms likely to appear in unrelated conversations. This can cause the skill to activate outside its intended scope, increasing the chance that its instructions or reference content influence tasks where they are not appropriate, including security-sensitive contexts involving secrets or workspace files.

External Script Fetching

High

Category: Supply Chain
Content: ### Erste Schritte ```bash # 1. Installieren curl -fsSL https://get.openclaw.ai | bash # 2. Wizard durchlaufen (Token, Model, Telegram-Bot) openclaw setup
Confidence: 99% confidence
Finding: curl -fsSL https://get.openclaw.ai | bash

External Script Fetching

High

Category: Supply Chain
Content: ### VPS-Setup ```bash # Tailscale installieren curl -fsSL https://tailscale.com/install.sh | sh sudo tailscale up tailscale ip -4 # z.B. 100.64.x.x ```
Confidence: 96% confidence
Finding: curl -fsSL https://tailscale.com/install.sh | sh

External Script Fetching

Low

Category: Supply Chain
Content: sudo apt update && sudo apt upgrade -y # 3. Node.js 22+ installieren curl -fsSL https://deb.nodesource.com/setup_22.x | sudo bash - sudo apt install -y nodejs # 4. Tailscale
Confidence: 97% confidence
Finding: curl -fsSL https://deb.nodesource.com/setup_22.x | sudo bash

External Script Fetching

High

Category: Supply Chain
Content: sudo apt install -y nodejs # 4. Tailscale curl -fsSL https://tailscale.com/install.sh | sh sudo tailscale up # 5. OpenClaw (nur Node-Host, kein Gateway!)
Confidence: 96% confidence
Finding: curl -fsSL https://tailscale.com/install.sh | sh

Chaining Abuse

High

Category: Tool Misuse
Content: sudo apt update && sudo apt upgrade -y # 3. Node.js 22+ installieren curl -fsSL https://deb.nodesource.com/setup_22.x | sudo bash - sudo apt install -y nodejs # 4. Tailscale
Confidence: 95% confidence
Finding: | sudo

Chaining Abuse

High

Category: Tool Misuse
Content: ### Erste Schritte ```bash # 1. Installieren curl -fsSL https://get.openclaw.ai | bash # 2. Wizard durchlaufen (Token, Model, Telegram-Bot) openclaw setup
Confidence: 98% confidence
Finding: | bash

Chaining Abuse

High

Category: Tool Misuse
Content: ### VPS-Setup ```bash # Tailscale installieren curl -fsSL https://tailscale.com/install.sh | sh sudo tailscale up tailscale ip -4 # z.B. 100.64.x.x ```
Confidence: 95% confidence
Finding: | sh

Chaining Abuse

High

Category: Tool Misuse
Content: sudo apt install -y nodejs # 4. Tailscale curl -fsSL https://tailscale.com/install.sh | sh sudo tailscale up # 5. OpenClaw (nur Node-Host, kein Gateway!)
Confidence: 95% confidence
Finding: | sh

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal