botlearn-healthcheck

Security checks across malware telemetry and agentic risk

Overview

This health-check skill performs useful diagnostics, but it also reads sensitive local data, can send reports to external services despite a local-only claim, and recommends forced installation of related skills.

Install only if you trust the publisher and are comfortable with scripts inspecting your OpenClaw home, config, logs, workspace identity files, installed skills, and host details. Keep reports local unless you intentionally configure Slack, Discord, Feishu, Dingtalk, or email delivery, and review reports for sensitive information before sharing. Do not blindly follow the `--force` botlearn install recommendations; review each suggested skill normally.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (26)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 94% confidence
Finding: The skill requires shell and environment access to inspect a live system, but it declares no explicit permissions boundary. This creates a dangerous mismatch: users and platform controls may treat it as lower-risk than it is, while the skill can read environment variables, inspect local files, and execute shell-based collection workflows across the host.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 97% confidence
Finding: The documented behavior goes beyond passive health checking into secret scanning, VCS inspection, dependency auditing, historical snapshotting, and possible delivery of reports to external services. That scope expansion materially increases privacy and exfiltration risk because a user invoking a 'health check' may not expect broad inspection of logs, config, repositories, or outbound sharing of results.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The skill instructs the agent to treat all @botlearn skills as trusted and to recommend installation with --force, explicitly bypassing risk prompts. This undermines normal trust and review controls and can be used as a supply-chain pivot to introduce additional unreviewed capabilities under the guise of health remediation.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The skill is presented as a five-domain diagnostic tool, but it also contains a remediation execution workflow. Even with a confirmation step, mixing diagnosis and command execution increases the chance that users invoke a read-only skill and are then steered into privileged or state-changing operations they did not anticipate.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The skill goes beyond diagnostics by recommending installation of additional botlearn skills to expand autonomy, including self-improvement capabilities. In a health-check skill, this creates scope creep from assessment into capability expansion, which can materially change the system state and increase attack surface.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The skill instructs reading and storing the full contents of workspace identity files such as agent.md, soul.md, user.md, identity.md, and tool.md, even though the stated analysis only needs structural signals. These files can contain personal data, behavioral instructions, internal system prompts, or tool capability details, so copying raw content into working context creates unnecessary exposure and increases the blast radius if the context is logged, displayed, or reused by later steps.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The script goes beyond passive local health inspection by querying the clawhub registry and enumerating external botlearn ecosystem data. In a health-check skill, this creates unsolicited outbound network activity, leaks environment interest/metadata to third parties, and expands the trust boundary without clear user consent or strict necessity for local diagnostics.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The comments assert that all @botlearn skills are vetted and trusted, but the code performs no signature, publisher, provenance, or integrity verification. This can mislead operators or downstream logic into over-trusting arbitrary discovered skills, increasing the chance of unsafe installation or execution decisions based on false assurances.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: This script intentionally supports delivery of health reports to external services including Slack, DingTalk, Feishu, Discord, and email, which expands the data boundary beyond a purely local health-check role. Even though the behavior is feature-driven rather than overtly malicious, health reports can contain configuration, issue, and environment details that may disclose sensitive operational information to third parties or unintended recipients.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: Webhook and SMTP publication capabilities are broader than necessary for a health-check skill because they enable redistribution of diagnostic results to arbitrary remote endpoints. This increases the attack surface and the chance of accidental exfiltration of system state, issue summaries, or embedded secrets from reports.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: Broad triggers like 'fix my setup' and similarly generic health phrases can invoke a high-privilege diagnostic skill unintentionally. Because this skill performs system inspection and may later guide command execution, accidental activation expands exposure of local configuration, logs, and security-sensitive metadata.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: Using 'general query' as an activation condition is ambiguous and can cause the skill to run in contexts where the user did not request system inspection. In a skill that reads configs, logs, identity directories, and environment data, accidental invocation meaningfully increases privacy and operational risk.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The guidance explicitly tells users to use `--force`, which suppresses interactive risk prompts for installing third-party skills. This weakens a built-in safety control and could lead to unreviewed package installation, especially dangerous because the file also frames botlearn skills as inherently trusted.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The protocol explicitly reads and stores potentially sensitive identity files without a prior user-facing warning or consent gate, despite acknowledging that the content may be personal. That mismatch is risky because users invoking a health check would not reasonably expect full identity/profile documents to be ingested, making this an over-collection and transparency failure.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill reads and stores the raw main configuration file for cross-validation without warning that configuration files commonly contain secrets, endpoints, auth settings, and other sensitive operational details. Although some later log redaction is specified elsewhere, there is no equivalent minimization or redaction for this config collection step, so sensitive settings may enter context unnecessarily.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: This script collects a broad host inventory including OS version, architecture, Node/npm/pnpm/OpenClaw versions, total and available memory, disk capacity, CPU details, and uptime, then emits it as JSON with no consent prompt, masking, or scope restriction. In a health-check skill this may be functionally expected, but it still exposes sensitive fingerprinting data that can aid targeted exploitation, environment profiling, or unintended disclosure if the output is transmitted, logged, or shown to other components.

Missing User Warnings

Low

Confidence: 84% confidence
Finding: This script reads and summarizes application logs, including recent error lines and critical event excerpts, which can contain sensitive information such as tokens, file paths, user data, or internal system details. In the context of an autonomous health-check skill, that data is intentionally collected, but the lack of explicit disclosure, minimization, or redaction makes it a real privacy and information-exposure risk if results are shown to users, stored elsewhere, or sent to another component.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script executes `openclaw status --all --deep` and then parses and emits a rich JSON snapshot containing potentially sensitive operational details such as config paths, dashboard/gateway data, service state, agent bootstrap filenames, store paths, and selected log excerpts. In a health-check skill, this broad collection may be expected, but the lack of any explicit disclosure, scope limitation, or consent gate increases the risk of unintentional exposure of local system and environment information to downstream components or users who did not realize how much would be collected.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The script emits environment variable values such as OPENCLAW_HOME and OPENCLAW_CONFIG_PATH directly into JSON output with only home-directory shortening, not true redaction. These paths can reveal filesystem layout, usernames, custom storage locations, or sensitive deployment structure to whoever can view the health-check report, which increases recon value and may expose security-relevant configuration details.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The script posts report contents to webhooks and SMTP targets without any user-facing warning, confirmation, or runtime disclosure. In a diagnostic skill context, that is risky because users may reasonably expect local inspection, while the report may contain system health, issue IDs, timestamps, and other environment details that are sent off-host.

Unrestricted Tool Access

Medium

Category: Excessive Agency
Content: 3. Await explicit user confirmation 4. Execute → verify result → report outcome **Never run any command that modifies system state without explicit user confirmation.** ---
Confidence: 93% confidence
Finding: run any command

Credential Access

High

Category: Privilege Escalation
Content: | Control UI exposed | `controlUI` on non-loopback | false | — | true | ❌ -25 | | Critical CVEs | `vulnerabilities` CVSS ≥9 | 0 | — | any | -15 each (max -45) | | High CVEs | `vulnerabilities` CVSS 7–8.9 | 0 | any | — | -5 each (max -20) | | Secrets tracked in VCS | `vcs` | clean | .env without .gitignore | tracked in git | -10 / -25 | **Risk classification** (add after scoring): - Critical: any ❌ from credential exposure or unauthenticated LAN bind → fix immediately
Confidence: 95% confidence
Finding: .env

Credential Access

High

Category: Privilege Escalation
Content: try { const tracked = execSync("git ls-files " + HOME + " 2>/dev/null", { encoding: "utf8", timeout: 3000 }); const secretFiles = tracked.split("\n").filter(f => f.endsWith(".key") || f.endsWith(".pem") || f.endsWith(".env") || f.includes("credentials") || f.includes("secret") ); for (const sf of secretFiles) {
Confidence: 80% confidence
Finding: .env"

Overly Broad Trigger

Low

Category: Trigger Abuse
Confidence: 85% confidence
Finding: A very short trigger like '体检' is prone to accidental matches in ordinary conversation. Because this skill can inspect sensitive local system state, accidental invocation can expose more information than the user intended.

Overly Broad Trigger

Low

Category: Trigger Abuse
Confidence: 85% confidence
Finding: The short trigger '修复' is highly generic and may unintentionally activate remediation-oriented behavior. In this context, accidental activation is more dangerous than usual because the skill can progress from inspection to recommending or executing system changes.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal