ClawHub

Openclaw Ref

Security checks across malware telemetry and agentic risk

Overview

This is a broad OpenClaw reference skill that documents powerful administrative features, but the artifacts are coherent documentation rather than hidden or automatic behavior.

Install this only if you want an operational OpenClaw admin reference. Before following its examples, treat bot tokens, gateway tokens, OAuth files, ~/.openclaw, group chat history, webhooks, shell/exec settings, node camera/screen/location commands, plugins/hooks, and uninstall/reset commands as sensitive. Prefer environment variables for secrets, keep Telegram/group access allowlisted, avoid sending reasoning or private group history unless intentional, back up ~/.openclaw before migration or cleanup, and require explicit user approval for shell, elevated, node, and destructive operations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (15)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill is presented as a configuration/CLI troubleshooting/model-management reference, but it documents substantially broader operational powers including channels, nodes, browser control, pairing, webhooks, and security-sensitive device operations. This scope expansion increases the chance an agent or user will rely on the skill to perform actions outside the declared purpose, weakening least-privilege expectations and making risky capabilities easier to invoke without scrutiny.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Documenting `! <cmd>` as a host shell escape inside a general reference skill exposes a direct path to arbitrary command execution, which is far more dangerous than passive documentation of configuration commands. In an agent context, even mentioning this capability without strong warnings and gating can normalize or encourage execution of untrusted shell commands on the host.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation exposes an option to transmit internal reasoning (`includeReasoning: true`) but does not clearly warn that reasoning may contain sensitive data, system prompts, hidden chain-of-thought, or other confidential context. In a heartbeat feature that periodically sends automated messages to external channels, enabling this can unintentionally leak sensitive information on a recurring basis.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The file states that group messages may be stored and injected into model context even when they do not trigger a reply. In a channel integration reference skill, this can lead operators to deploy behavior that collects and processes bystander messages without clear notice or consent, increasing privacy leakage risk and potentially exposing sensitive content to the model and logs.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation instructs users to call the Telegram Bot API with the bot token embedded directly in the command line, but does not warn that the token is a credential with full bot-control implications. Tokens placed in shell history, screenshots, logs, or shared snippets can be reused by anyone who obtains them to read updates, send messages, or reconfigure bot behavior.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The guidance recommends disabling Telegram privacy mode so the bot can see all group messages, but does not clearly warn that this expands the bot's visibility to all conversations in those groups. In a configuration reference for an agent platform, this can cause administrators to enable broad collection of user content without understanding the privacy and compliance consequences.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The cheat sheet lists destructive commands like reset and uninstall in the same neutral format as harmless status commands, without warning about deletion of configuration, services, or data. In a reference skill meant to guide modifications and troubleshooting, omission of safety warnings materially increases the risk of accidental destructive use.

Missing User Warnings

High
Confidence
96% confidence
Finding
The documentation includes sensitive operations such as token-based channel setup, remote command execution, camera/screen/location access, and other surveillance-capable features without privacy, consent, or credential-handling warnings. In this skill’s context, that makes high-impact actions appear routine and lowers the barrier to misuse or unauthorized monitoring/execution.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The reference states `agents.defaults.elevatedDefault` defaults to `on` without any cautionary note. In an agent system, enabling elevated behavior by default increases the chance that dangerous tools or privileged actions are used unintentionally, especially by users treating this document as authoritative setup guidance.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The document describes shell-command enablement (`commands.bash`) and execution approval controls (`tools.exec.approvals.*`) without warning that they can authorize arbitrary system command execution. Because this skill is meant to be consulted when modifying configuration, omission of guardrails can normalize insecure setups that permit destructive or host-compromising actions.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The document shows plaintext credential fields and discloses credential storage locations without warning users against hardcoding secrets or exposing them in logs, backups, or shared files. In a configuration reference skill, this increases the chance that operators will store reusable gateway tokens or passwords insecurely, especially because the same document also discusses non-loopback exposure and remote access.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The document exposes high-risk operational capabilities including camera capture, screen recording, location retrieval, JavaScript evaluation in WebView, and remote command execution on nodes, but it does not pair these commands with clear safety boundaries, authorization expectations, audit requirements, or privacy warnings. In a reference skill that users are told they must consult when modifying config or executing CLI commands, this omission increases the chance of unsafe or unauthorized use of powerful features.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document includes destructive uninstall commands (`openclaw uninstall --all --yes`, `npm uninstall -g openclaw`) without an explicit warning that state, configuration, logs, credentials, and session data may be deleted. In a reference skill that users are instructed to consult for operational tasks, omission of a prominent warning materially increases the chance of accidental data loss.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The migration step tells users to copy the entire `~/.openclaw/` directory to a new machine, but the same file documents that this directory contains credentials, auth profiles, session records, logs, and other sensitive state. Without a warning, users may unknowingly expose secrets or private conversation data during transfer, backup, or storage on less secure systems.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The manual cleanup section recommends deleting `~/.openclaw` and the LaunchAgent plist without a prominent irreversible-data-loss warning. Because `~/.openclaw` is documented as containing configuration, credentials, sessions, logs, memory indexes, and workspaces, this can lead to accidental destruction of important operational and sensitive data.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal