ClawHub

OpenClaw Agent Skill

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only OpenClaw helper, but its bundled docs include multiple high-impact setup, permission, persistence, and privacy examples that need careful review before use.

Install only if you specifically want OpenClaw documentation assistance. Treat generated commands as operationally sensitive: review remote installer scripts before running them, avoid approve-all permissions except in isolated trusted environments, secure secrets and backups, and be cautious with heartbeat, memory, media upload, and auto-start proxy features.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
Findings (22)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger is broad enough to activate on generic topics like AI agent gateways, chat-platform bot setup, deployment, and plugins even when the user is not asking about OpenClaw. This can cause inappropriate skill activation and inject a large body of vendor-specific instructions and documentation into unrelated conversations, increasing the risk of context hijacking, user confusion, and incorrect product-specific guidance.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation repeatedly recommends piping remotely fetched installer scripts directly into a shell or PowerShell interpreter. That removes any opportunity for users or downstream agents to inspect integrity or content first, so compromise of the hosting domain, CDN, DNS/TLS path, or script supply chain can immediately lead to arbitrary code execution on the target host.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The Nix quick-start prompt tells an AI agent to store bot tokens and provider API keys as plain files under ~/.secrets/ without any warning about file permissions, encryption, or secret-management practices. In an agent-oriented skill, users may copy this verbatim, causing credential exposure through backups, accidental commits, shared home directories, or overly permissive file modes.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The Ansible quick-start presents a one-command remote installer fetched from GitHub and executed with bash, and the surrounding text states it deploys firewall, Docker, Node, OpenClaw, and services to production servers. Because it performs privileged host configuration changes, this is effectively remote code execution with infrastructure-wide impact if the fetched script or distribution path is tampered with.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The uninstall section includes destructive recursive deletion commands for state directories, workspaces, application bundles, and service files without an upfront warning about permanent data loss. In an AI skill context, users may execute snippets mechanically, leading to irreversible deletion of credentials, session history, and local files if paths are customized or misunderstood.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The Deepgram section explicitly states that inbound audio is uploaded to Deepgram, but it does not present a prominent privacy warning or consent guidance before enabling the feature. In a gateway handling user messages, silent third-party transmission of voice content can violate user expectations, privacy requirements, or compliance obligations.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The OpenAI Responses compaction section says OpenClaw forces `store: true` for direct OpenAI Responses models, but it does not clearly warn that this causes provider-side retention of request data. Operators may enable or rely on this behavior without understanding the privacy and data-governance consequences.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation explicitly describes `approve-all` as automatically approving all file writes and shell commands in non-interactive ACP sessions. In this skill context, ACP sessions run on the host and outside the sandbox, so this guidance can normalize dangerous configurations that grant broad host-side code execution without meaningful human approval.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The troubleshooting section recommends setting `permissionMode=approve-all` to fix ACP failures, but does so as an operational fix rather than a last-resort high-risk override. Because ACP runs on the host and is designed to drive coding harnesses, this can directly enable unattended shell execution and file modification from chat-triggered agent activity.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation describes sending inbound image/audio/video content to external provider APIs and local CLIs, but it does not consistently warn operators that user-supplied media may leave the local system and be processed by third parties. In a messaging gateway context, this creates a real privacy and compliance risk because sensitive user content could be forwarded off-device without informed consent or clear operator awareness.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The docs state that inbound web media is downloaded to a temporary local file and exposed through templating variables, but they do not clearly warn that user content is being written to disk. Even if temporary, local persistence can create privacy exposure through filesystem access, backups, crash artifacts, or delayed cleanup.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation provides concrete `netsh interface portproxy` and firewall-opening commands that can expose services running inside WSL to the LAN, including using `listenaddress=0.0.0.0`, without a prominent security warning or hardening guidance. In a gateway product that may handle chat/agent traffic, this can lead to unintended network exposure and remote access if users copy-paste the commands without understanding the trust boundary change.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The Render backup export guidance tells users to download a portable backup of state and workspace but does not warn that the archive can include secrets such as API keys, tokens, OAuth material, session data, and potentially sensitive workspace contents. Users may mishandle the export, store it insecurely, or share it during migration, leading to credential disclosure or data leakage.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The Railway backup instructions similarly encourage exporting OpenClaw state and workspace without clearly warning that the archive may contain private credentials, tokens, chat data, and other sensitive operational state. This omission increases the chance of accidental exposure during backup handling or migration.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The AGENTS template explicitly tells the agent to read SOUL.md, USER.md, daily memory files, and MEMORY.md automatically at session startup without asking permission. That creates persistent handling of potentially sensitive personal data and normalizes autonomous access to private context files without an explicit user-facing consent or minimization model.

Missing User Warnings

High
Confidence
97% confidence
Finding
The heartbeat guidance authorizes proactive checks of emails, calendars, social mentions, weather, and writing state into a heartbeat-state.json file, all without a strong user-consent and privacy warning framework. This enables ongoing monitoring of sensitive personal activity and the creation of persistent telemetry-like state that could expose behavioral patterns or leak private information if misused.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation presents a remote installer pipeline that executes downloaded shell code and modifies the local system, but the nearby text does not explicitly warn users about the trust and change-management implications. In a troubleshooting skill for an agent that may summarize or suggest commands, this increases the chance that users or downstream agents run high-risk setup commands without informed consent.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
This command pipes a remote installer directly to bash with no adjacent caution that it will execute network-fetched code and alter the host. In this skill context, the content is likely to be reused verbatim by an assistant, making unsafe one-liners more likely to be recommended uncritically.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The Tailscale install snippet installs software and changes network configuration, but the docs do not warn nearby about those effects. Because this is operational documentation that may be followed under time pressure, users may not realize they are making system-wide networking changes.

Ssd 3

Medium
Confidence
90% confidence
Finding
The memory design explicitly proposes storing daily logs, preferences, entity summaries, and confidence-bearing opinions, then surfacing them later through recall tools. Without clear data minimization, access controls, retention limits, and redaction rules, this creates a real privacy and data exposure risk because sensitive user-provided content can be indexed and retrieved outside the original context.

Session Persistence

Medium
Category
Rogue Agent
Content
## Auto-Start on macOS

Create a LaunchAgent to run the proxy automatically:

```
cat > ~/Library/LaunchAgents/com.claude-max-api.plist << 'EOF'
Confidence
83% confidence
Finding
Create a LaunchAgent to run the proxy automatically: ``` cat > ~/Library/LaunchAgents/com.claude-max-api.plist << 'EOF' <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PL

External Script Fetching

High
Category
Supply Chain
Content
*   `OPENCLAW_INSTALL_SMOKE_SKIP_NONROOT=1 pnpm test:install:smoke` (Docker install smoke test, fast path; required before release)
    *   If the immediate previous npm release is known broken, set `OPENCLAW_INSTALL_SMOKE_PREVIOUS=<last-good-version>` or `OPENCLAW_INSTALL_SMOKE_SKIP_PREVIOUS=1` for the preinstall step.
*   (Optional) Full installer smoke (adds non-root + CLI coverage): `pnpm test:install:smoke`
*   (Optional) Installer E2E (Docker, runs `curl -fsSL https://openclaw.ai/install.sh | bash`, onboards, then runs real tool calls):
    *   `pnpm test:install:e2e:openai` (requires `OPENAI_API_KEY`)
    *   `pnpm test:install:e2e:anthropic` (requires `ANTHROPIC_API_KEY`)
    *   `pnpm test:install:e2e` (requires both keys; runs both providers)
Confidence
89% confidence
Finding
curl -fsSL https://openclaw.ai/install.sh | bash

VirusTotal

55/55 vendors flagged this skill as clean.

View on VirusTotal