Back to skill

Security audit

Clawdoc

Security checks across malware telemetry and agentic risk

Overview

This local diagnostic skill is coherent, but it needs Review because it can inspect private session logs more broadly than advertised.

Install only if you are comfortable letting the skill analyze local agent session logs. Use explicit /clawdoc commands rather than generic debug requests, review output before sharing it, avoid enabling CLAWDOC_LEARNINGS unless you want repository files changed, and do not run the dev conversion scripts on important output directories.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill documents shell execution and access to environment-dependent paths but declares no permissions, creating a mismatch between advertised behavior and security controls. This can lead to overbroad execution in environments that rely on manifest permissions for gating, auditing, or user consent.

Description-Behavior Mismatch

Low
Confidence
79% confidence
Finding
The skill is primarily framed as diagnostic/reporting, but it also includes an optional mode that writes findings into `.learnings/LEARNINGS.md`. Even if optional, this expands the trust boundary from analysis to file modification, which can surprise users and downstream automation expecting read-only behavior.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script accepts an arbitrary OUTPUT_DIR, prompts if it is non-empty, and then unconditionally executes rm -rf "$OUTPUT_DIR". In a developer context this can destroy unintended paths if the caller mistypes the argument, passes '/', or points to an important directory via symlink or variable expansion; the interactive prompt reduces but does not eliminate the risk.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The script claims to scan only recent sessions, but if the initial find command yields no results it falls back to scanning every JSONL file in the sessions directory. In a diagnostic skill, this can unexpectedly process large historical datasets, inflating runtime and cost and potentially surfacing older sensitive session content contrary to operator expectations.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The documented behavior says only recent sessions are scanned, but the implementation can analyze all session files. That mismatch is security-relevant because users may run this on large or sensitive session stores expecting limited scope, leading to excess data exposure, misleading reporting windows, and avoidable compute cost.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The script's stated purpose is formatting diagnosis output, but it also conditionally writes to and mutates .learnings/LEARNINGS.md. Hidden or weakly disclosed state-changing behavior in a diagnostic/reporting tool is dangerous because users may run it expecting read-only formatting while it alters repository state, creating unintended persistence, noisy diffs, or tampering with project records.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The README advertises very broad natural-language triggers such as "What went wrong?" and "Give me a full diagnosis," which can cause the skill to activate in situations beyond the user's intended scope. In an agent environment, ambiguous triggers increase the chance of accidental invocation on unrelated conversations or sensitive session data, leading to unnecessary processing, confusion, or disclosure of diagnostic output.

Vague Triggers

Medium
Confidence
87% confidence
Finding
Broad natural-language triggers like "debug," "diagnose," or "what's wrong" increase the chance of unintended invocation in ordinary conversation. In this skill, accidental activation is more dangerous because invocation can lead to shell commands over local session directories and potentially optional file writes.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill describes writing to `.learnings/LEARNINGS.md` without a prominent user-facing warning that local files will be modified. This is risky because users may invoke a diagnostic skill expecting read-only analysis, while the optional mode silently changes repository state if the environment variable is set.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The documentation explicitly instructs the agent/user to write a report to /tmp/openclaw-audit.txt without any warning that this will create or overwrite a local file. While /tmp is a conventional scratch location, blindly directing file creation can clobber existing data, and in adversarial or shared environments it normalizes unsafe write behavior without requiring confirmation or a safer unique filename.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script emits `sessionKey` directly in its JSON output, which can disclose a potentially sensitive session identifier or credential-like token to anyone who can view logs, terminal history, redirected files, or downstream tooling that consumes stdout. In this skill's context, the tool is explicitly meant to inspect agent session artifacts, so it is likely to be run on real production/debugging data, which increases the chance that exposed metadata will be copied into bug reports, shared diagnostics, or retained in CI logs.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The script performs file writes and in-place updates to .learnings/LEARNINGS.md without an explicit interactive warning or confirmation at the moment of modification. In an agent skill context, this is more concerning because tools may be invoked automatically, so quiet persistence can surprise operators and alter repository state in ways that are easy to miss.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.