ClawHub

botlearn-healthcheck

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real OpenClaw health-check tool, but it performs broad local inspection, saves diagnostic reports, and recommends capability-changing forced installs that users should review carefully.

Install only if you are comfortable with this skill reading OpenClaw configs, logs, heartbeat files, identity/profile documents, and secret locations, contacting ClawHub for package checks, and writing persistent health reports. Review generated reports before sharing them, avoid `--force` install recommendations unless you independently trust the packages, and approve repair commands one at a time after checking the exact command and rollback.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (39)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill invokes shell scripts, direct file reads, and CLI commands while declaring no permissions, which hides its real execution and data-access capabilities from the host and reviewer. In a diagnostic skill, this is dangerous because it enables broad environment inspection and command execution without explicit capability scoping or user-visible permission boundaries.

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The manifest presents the skill as a health inspector, but the instructions expand into credential scanning, broad workspace auditing, persistent report generation, external checks, and ecosystem enumeration. This mismatch undermines informed consent and increases the chance that users trigger a much more invasive skill than they expect.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Although framed as a health check, the skill instructs the agent to execute system-modifying fix commands after user approval, which crosses from diagnostics into remediation with real operational risk. A user may invoke the skill expecting inspection only, but end up authorizing destructive or unsafe changes suggested by the skill.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
Persistent report generation and a modification-oriented fix workflow materially expand the skill beyond passive inspection. This is risky because it causes data retention and operational side effects in a skill whose primary framing suggests a diagnostic role.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill goes beyond passive diagnostics by recommending installation of additional skills, including bulk installation, which can materially change the agent’s capabilities and trust boundary. In a healthcheck skill, this is dangerous because users may expect read-only assessment, yet the guidance encourages capability expansion and package changes without strong consent controls.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The documentation explicitly recommends using `--force` to skip interactive risk prompts for 'trusted' botlearn skills. Bypassing safety prompts undermines a built-in security control and normalizes suppressing warnings that may exist precisely to prevent unsafe or unexpected environment changes.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to read and store the full contents of workspace identity/persona files such as agent.md, soul.md, user.md, identity.md, and tool.md. For a health-check skill, collecting complete personal/behavioral context is not necessary for routine diagnostics and creates unnecessary exposure of sensitive user, agent, and capability data in working context where it may later be summarized, logged, or reused.

Context-Inappropriate Capability

Low
Confidence
86% confidence
Finding
The workflow captures the full HEARTBEAT.md content instead of narrowly scoped status metadata. Even if intended for diagnostics, full heartbeat files can contain operational notes, user-authored context, or other sensitive state that exceeds what is needed for a simple health inspection.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
This section instructs a healthcheck skill to change `tools.profile` to `full` and `tools.sessions.visibility` to `all`, which expands the agent's capabilities far beyond diagnostics. In a health-inspection context, capability escalation violates least privilege and could enable broad file/session/tool access if an operator follows the guidance blindly.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The rate-limit remediation includes a direct example that writes live API keys into `openclaw.json` (`apiKeys: ['sk-key1', ...]`). Even as an example, this normalizes plaintext secret storage in a config file, increasing the risk of credential leakage through backups, logs, permissions mistakes, or source control.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The document contradicts itself by earlier recommending plaintext API keys in config, then later stating secrets should never be stored in JSON config. Conflicting security guidance is dangerous because operators may follow the insecure instructions, creating real credential exposure in a skill that users may trust as an authoritative health/security fixer.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The script goes beyond local health inspection and performs external ecosystem enumeration by querying clawhub for botlearn packages and computing missing skills. In a healthcheck context, this broadens data collection and creates unnecessary network activity that can disclose installation state and encourage package discovery unrelated to diagnosing the local system.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger list is overly broad and includes common troubleshooting phrases like 'doctor', 'diagnose', and 'what's wrong', which can cause unintended activation during ordinary conversation. In an autonomous health-check skill that reads configs, logs, and system state, accidental invocation increases privacy exposure and may start intrusive diagnostics without clear user intent.

Vague Triggers

High
Confidence
93% confidence
Finding
The trigger set includes broad phrases like 'doctor', 'troubleshoot', 'what's wrong', and 'fix my setup', which can match common support conversations and invoke the skill unintentionally. Because the skill performs autonomous collection, reads sensitive files, and may guide into fix execution, accidental activation materially raises exposure and misuse risk.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The forced-install recommendation omits any warning that it suppresses security or risk prompts and may install software with elevated trust assumptions. This creates unsafe operational guidance, especially for autonomous or semi-autonomous agents that may execute remediation steps literally.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The bulk-install example enumerates all discovered botlearn skills and generates forced install commands for each, enabling broad unreviewed changes to the environment. This amplifies supply-chain and misconfiguration risk because it encourages mass installation based on search results rather than a constrained, reviewed package list.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The document directs the agent to read potentially personal workspace identity files and store their contents without a clear upfront warning or explicit consent flow. This is dangerous because users invoking a generic health check may reasonably expect system diagnostics, not deep inspection of persona, identity, or user-profile documents.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This section recommends `clawhub install ... --force` and explicitly says it skips the risk prompt, while labeling the skills as trusted. Bypassing the safety/risk confirmation flow in installation guidance undermines review controls and makes social-engineering or supply-chain compromise more likely.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The skill instructs the agent to read prior reports from $OPENCLAW_HOME/memory/health-reports/ and parse previous markdown entries without requiring explicit user consent or clearly disclosing that stored historical data will be accessed. Even though the data source is local health reports, this creates a privacy and transparency issue because historical operational data may contain sensitive configuration or security status details that the user did not expect to be reprocessed automatically.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly stores persistent health reports under $OPENCLAW_HOME/memory/health-reports/ but does not require prior user notice or consent before archiving potentially sensitive system diagnostics. Because the report includes configuration, security, hardware, and environment data, silent persistence increases the risk of unintended retention, later exposure to other local users/processes, or collection of data the user did not expect to be written to disk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The specified report content includes an environment snapshot with OS, architecture, versions, resource usage, installed skills, and potentially commit information, yet the skill metadata and user-facing behavior do not warn that this metadata will be archived. This omission is dangerous because such details can aid fingerprinting, expose operational context, and create privacy or security issues if the report is shared, synced, or read by unauthorized parties.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The file documents an auto-repair command that can modify system state, configuration, or workspace content, but presents it alongside read-only diagnostics without any caution or confirmation guidance. In a health-check skill, this increases the chance that an agent or user treats the command as a routine safe diagnostic step and triggers unintended changes or destructive remediation.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The guidance tells operators to edit openclaw.json directly for multi-key rotation without warning that the file may contain credentials and live operational settings. This can lead to accidental secret exposure, malformed config, or unsafe edits applied in production contexts, especially if an automated agent follows the instruction blindly.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The cache-clear commands explicitly delete stored history and index data, yet they are listed as routine operations without any warning about data loss or degraded behavior after clearing. In a diagnostics/repair context, an agent may invoke them as a generic fix, causing avoidable loss of useful state and making recovery or forensic review harder.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The diagnostic cheat sheet escalates from read-only checks to an auto-repair step without any warning banner, decision gate, or requirement to review findings first. Because this skill is explicitly for health inspection and troubleshooting, users or agents are more likely to execute the full sequence mechanically, turning a diagnostic workflow into an unintended modifying workflow.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal