OpenClaw Updater

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed OpenClaw maintenance helper that changes local OpenClaw and workspace state and can send Telegram alerts, with no evidence of hidden or malicious behavior.

Install only if you want an agent-assisted OpenClaw update and rollback workflow. Run --dry-run first, review workspace contents before allowing automatic git add/commit, store the Telegram token file carefully or skip the notification wrapper, set BACKUP_SCRIPT only to a trusted script, and verify rollback versions and backup contents before restoring or running npm install -g.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (9)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill clearly instructs users to execute shell commands and scripts, yet no permissions are declared. This creates a trust and safety gap: an agent or user may invoke filesystem-modifying and package-management operations without explicit capability disclosure, increasing the risk of unexpected command execution and harder review of what the skill can do.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The documented behavior extends beyond local update/rollback into outbound Telegram Bot API communication using stored credentials. That is a material behavior expansion from an updater skill, and it introduces external data egress, credential handling, and network dependency that a user may not expect from the stated purpose.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The script executes whatever program path is provided in the BACKUP_SCRIPT environment variable as long as it is executable. Because environment variables are untrusted input and there is no validation, allowlist, prompt, or restriction to a trusted directory, an attacker or unsafe caller could cause arbitrary code execution in the context of the update workflow.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The updater includes Telegram notification behavior that is not part of the stated updater scope, introducing outbound communications and secret handling unrelated to core update logic. In a privileged maintenance script, undisclosed network egress increases attack surface and may leak operational metadata such as versions, timing, and failure states to third parties.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The script sends messages to the Telegram API from within an updater, which is an unnecessary external messaging capability for a system-maintenance action. This creates data egress to a third-party service and could expose system state, installed versions, and update failures without clear necessity or user awareness.

Context-Inappropriate Capability

Low

Confidence: 88% confidence
Finding: The updater reads bot credentials from a local env file and environment variables for a nonessential notification feature. Loading secrets into a broadly scoped update process increases exposure and couples sensitive credentials to a script that does not need them for update functionality.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The restore instructions extract a backup over `~/.openclaw/`, which can overwrite existing configuration and workspace data. Without a prominent warning, confirmation step, or safer restore target, users may unintentionally destroy newer local state or merge incompatible files during recovery.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: Running an executable specified by BACKUP_SCRIPT without confirmation or warning creates a clear arbitrary code execution path. In the context of an updater safety script, users may assume operations are limited to backup tasks, so silently launching external code increases the chance of unintended execution with the user's privileges.

Session Persistence

Medium

Category: Rogue Agent
Content: The update script sends success/failure notifications via Telegram Bot API (bypasses OpenClaw gateway, so it works even if the update breaks the gateway). Create `~/.openclaw/.telegram-notify.env`: ``` TELEGRAM_BOT_TOKEN=<your-bot-token>
Confidence: 83% confidence
Finding: Create `~/.openclaw/.telegram-notify.env`: ``` TELEGRAM_BOT_TOKEN=<your-bot-token> TELEGRAM_CHAT_ID=<your-chat-id> ``` ```bash chmod 600 ~/.openclaw/.telegram-notify.env ``` The bot token is the sa

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal