Gateway Upgrade Local Fork

Security checks across malware telemetry and agentic risk

Overview

This looks like a legitimate local OpenClaw upgrade aid, but it needs Review because it can alter services and databases, expose raw environment values, and includes unguarded deletion commands.

Install only if you intend to let the agent perform local OpenClaw maintenance. Before running any commands, confirm fresh backups exist, inspect the shell scripts, redact environment values in reports, and replace destructive rollback or cleanup commands with a safer confirmed rename or two-step deletion process.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (10)

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The script assigns the database path as `\$HOME/...`, which preserves a literal `$HOME` instead of expanding the user's home directory. As a result, the pre-check for existing indexes and the post-run verification query operate on the wrong or nonexistent file, so the script may skip needed rebuilds, report incorrect vector counts, or mark agents as successfully processed without validating the real database state.

Vague Triggers

Medium

Confidence: 79% confidence
Finding: Broad trigger phrases like generic requests to 'upgrade OpenClaw' can cause the skill to activate in contexts where the user did not intend a full local service/database manipulation workflow. Because this skill performs impactful upgrade and rebuild operations, accidental invocation can lead to service disruption or unwanted system changes.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill is explicitly designed to manipulate local services, binaries, and databases, yet the top-level documentation does not prominently warn that these are system-impacting and potentially disruptive operations. In a high-privilege maintenance context, missing warnings increase the chance of operators initiating destructive changes without understanding restart, downtime, rollback, or data-integrity risks.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The guide tells users to inspect and record service environment values, including HF_ENDPOINT and other custom variables, without warning that environment data may contain sensitive infrastructure details or credentials. Even if the examples shown are not secrets, this pattern normalizes copying raw environment configuration into logs or notes, which can expose private endpoints or tokens if present in adjacent variables.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The report template asks users to persist raw service environment values, increasing the chance that sensitive configuration is stored in plaintext in markdown files, tickets, or chat logs. In operational settings, such documentation often gets shared, so capturing unredacted values can lead to disclosure of internal endpoints, access tokens, or proprietary model configuration.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The post-flight checklist prints raw environment variable values from a user service file to stdout, including variables like HF_ENDPOINT and any similarly patterned additions that may contain internal URLs, tokens, paths, or other sensitive configuration. Even in a local-only upgrade workflow, this can leak secrets into terminal scrollback, shell logs, screenshots, CI captures, or support bundles, creating avoidable exposure.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The document instructs the operator to execute a local rebuild script that performs system- and data-modifying actions, but it does not include an explicit warning, confirmation step, or summary of side effects before execution. In this skill's context, the script appears intended for maintenance rather than abuse, but blindly running workspace scripts during verification increases the risk of unintended data changes, long-running GPU workloads, or execution of a tampered script if the local fork has been modified.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The rollback procedure includes a destructive deletion step (`rm -rf $HOME/openclaw-local`) without an explicit warning or pre-check that the path is correct, that a valid backup exists, and that any untracked local changes will be permanently lost. In a local service-maintenance skill, operators may copy-paste commands directly, so omission of safeguards materially increases the chance of accidental data loss during an already high-stress rollback event.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The cleanup commands permanently remove `.bak` rollback artifacts after 30 days, but the document does not clearly warn that these files are the recovery points needed for future rollback. Because the skill manages local service binaries and systemd units, deleting backups without a strong warning can eliminate the only practical recovery path if a latent issue appears later.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The script prints raw values of environment variables from the systemd unit into the generated report. Variables like HF_ENDPOINT and model-related settings may reveal internal endpoints, filesystem paths, or deployment-specific secrets if additional sensitive variables are later added using the same pattern, causing unintended disclosure in logs, terminals, or shared reports.

VirusTotal

56/56 vendors flagged this skill as clean.

View on VirusTotal