ClawHub

Bengii Gemini Fix

Security checks across malware telemetry and agentic risk

Overview

This is mostly a documentation-only OpenClaw admin skill, but it covers powerful shell, remote device, credential, persistence, and third-party data paths without consistently strong guardrails.

Install only if you want an AI assistant to have detailed OpenClaw administrator guidance. Before following its suggestions, require explicit confirmation for installs, restarts, config changes, elevated/full execution, local shell commands, node device actions, remote workflow runs, and any action involving tokens, session directories, PDFs, memory, Firecrawl, or cloud embedding providers.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (40)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The Firecrawl section explicitly promotes anti-bot bypass and stealth capabilities that go beyond ordinary OpenClaw administration guidance and can enable operators to circumvent website protections. In a support skill, documenting this as a normal fallback increases the likelihood of misuse and normalizes functionality that may violate site access controls or terms of service.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The document claims the plugin makes only local subprocess calls and no network calls, but nearby examples clearly show it invoking other tools that can perform networked actions such as Gmail queries and Telegram sending. This contradiction can mislead users and downstream agents into underestimating the risk boundary, causing them to enable or trust the tool in environments where indirect network egress and external side effects should be prohibited.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The file materially expands the skill from gateway administration into remote peripheral control of connected devices, including execution and data-capture capabilities. That scope mismatch is security-relevant because an agent selecting this skill for routine OpenClaw help could be exposed to powerful node operations not disclosed in the manifest, increasing the chance of unsafe tool use or user surprise.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
This section documents `system.run` on remote node machines, which is effectively remote command execution. Even with allowlists and approvals mentioned, embedding these instructions in a broadly described support skill makes it easier for an agent to operationalize code execution on paired hosts beyond the user's likely expectation of 'setup and troubleshooting' guidance.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The documented capabilities include screenshots, camera access, screen recording, location retrieval, and SMS sending on connected devices. These are surveillance and device-control primitives with substantial privacy and abuse potential, and their presence in a skill not explicitly scoped for such operations makes accidental or inappropriate agent assistance significantly more dangerous.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill documentation explicitly teaches that prefixing input with `!` executes arbitrary local shell commands on the TUI host. In an agent-skill context, exposing host command execution is dangerous because an LLM may surface or encourage this feature in response to user prompts, enabling command execution on the operator's machine well beyond mere OpenClaw guidance. The one-time prompt reduces accidental use but does not meaningfully mitigate the core risk of arbitrary shell access.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README includes examples where the AI would run system-changing commands such as global package installation, service restarts, forceful gateway actions, and security auto-fixes, but it does not clearly warn that these actions modify the host system and should require explicit user confirmation. In an agent-skill context, operational examples can be interpreted as endorsed default behavior, increasing the risk of an assistant executing impactful commands without adequate safety gating.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The README states that the skill will 'automatically trigger' whenever OpenClaw-related tasks are mentioned, but it does not define clear activation boundaries. In a tool-oriented skill that can guide configuration changes, restarts, and security operations, overly broad triggering increases the chance of unintended invocation and inappropriate high-impact guidance in loosely related conversations.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill description advertises configuration editing, key management, service operations, and security hardening, but it does not warn that these actions may alter live systems, expose secrets, or interrupt availability. In a security-sensitive admin skill, omission of safety prompts can normalize risky changes without ensuring the user understands operational consequences.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The examples recommend high-impact actions such as global package upgrade, writing configuration, restarting the gateway, and using forceful recovery commands, but they provide no accompanying warning, validation, or confirmation requirements. This is dangerous because users or downstream agents may treat these examples as safe defaults and execute disruptive changes without checking environment-specific risks.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill lists security-impacting commands such as auto-fix, self-update, opening dashboards, and interactive control surfaces without surrounding guardrails or user-confirmation guidance. In an agent context, documentation that normalizes these actions can lead to unsafe execution, configuration drift, or unintended exposure when followed automatically.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation shows `--token <token>` on the command line. Command-line arguments are commonly exposed through shell history, process listings, crash reports, and telemetry, so this pattern can leak gateway credentials to local users or monitoring tools. Although a safer `--token-file` example appears nearby, the insecure example is still presented as normal usage at the point of use.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The Zed configuration example embeds `--token` directly in editor arguments, which risks persistent credential exposure in plaintext config files, editor sync, backups, screenshots, and local process inspection. This is more dangerous than a one-off shell example because users may copy it into long-lived configuration exactly as written.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The documentation states that web_fetch automatically falls back to Firecrawl but does not warn that requested URLs and potentially page content may be transmitted to an external third-party service. This creates a data handling and privacy risk because operators may unknowingly send sensitive internal URLs, credentials in query strings, or proprietary content outside their environment.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation explicitly advertises `/elevated full` as running commands on the gateway host with auto-approved execution, but it does not pair that capability with a clear warning about the security consequences. In the context of a multi-channel AI agent gateway, this can normalize unsafe operation and lead administrators to enable a mode that removes a key human approval barrier before host-level command execution.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation explicitly recommends `openclaw gateway --tailscale funnel` and labels it public/internet-accessible, but does not pair that with a clear warning about exposing the gateway to the internet, associated threat models, or hardening prerequisites. In a gateway/agent product handling messaging surfaces and remote control, this omission materially increases the chance that operators expose an administrative or high-value service without understanding the risk.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The documentation presents a pipe-to-shell installer as a normal install method without any safety warning, verification step, or discussion of the trust implications. This is dangerous because it encourages operators to execute remote code directly from the network, turning any compromise of the host, CDN, DNS, TLS termination, or project distribution path into immediate code execution on the user's machine.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The installation instructions tell users to execute a remote network-fetched script directly with `bash`/`iex` without any warning, review step, checksum/signature verification, or explanation of trust assumptions. In an installation guide for a self-hosted gateway, this is particularly dangerous because users are likely to run the command with elevated privileges and grant broad system access to whatever content the remote endpoint serves at execution time.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The migration instructions explicitly tell users to copy the entire `~/.openclaw/` directory, including sessions, but provide no warning that this may include authentication material, device pairings, tokens, and other sensitive state. That creates a realistic risk of credential leakage, accidental over-sharing in backups, or insecure transfer to a new host.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The manual uninstall section tells users to remove `~/.openclaw/` without warning that this directory may contain persistent state, logs, sessions, configuration, and user data that will be permanently lost. In an operational gateway product, users may follow uninstall instructions during troubleshooting and unintentionally destroy recoverable data needed for rollback, audit, or migration.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The document describes a silent automatic memory flush that writes durable context to persistent memory files when compaction is near, with no explicit warning or consent flow in the described behavior. In a self-hosted agent gateway, this can cause sensitive conversation details, credentials, or personal data to be retained unexpectedly, increasing privacy and data-retention risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The file lists cloud embedding providers for memory search but does not clearly warn that memory contents or chunks may be transmitted to third-party APIs for embedding generation. Because memory files are intended to store durable facts and notes, this can expose sensitive internal or personal information to external services without sufficiently explicit disclosure.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation explicitly identifies on-disk locations that store API keys and OAuth access/refresh tokens, but it does not warn that these files are highly sensitive, should have restrictive filesystem permissions, and must not be copied, committed, or shared. In a self-hosted gateway context, operators may follow the guide literally and leave credential stores insufficiently protected, increasing the risk of account compromise if the host, backups, logs, or support bundles are exposed.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The document explicitly advertises `/prose run <https://example.com/file.prose>` and remote handle/slug execution, then states the runtime fetches programs from `https://p.prose.md/...` using `web_fetch` and `exec` tools, but it does not pair this with a clear warning that fetched programs are untrusted content and may trigger tool use or other side effects. In a skill meant to guide installation and operation of a self-hosted agent gateway, that omission is security-relevant because users may be encouraged to execute remotely sourced agent workflows as if they were ordinary documentation examples.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation explicitly states that in native provider mode raw PDF bytes are sent directly to external provider APIs, but it does not warn users about the privacy, confidentiality, or compliance implications of transmitting potentially sensitive documents off-host. In the context of a self-hosted gateway that may process internal business files, this omission can cause operators to unknowingly exfiltrate sensitive data to third-party services.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal