ClawHub

OpenClaw Rescue Gateway Skill.md

Security checks across malware telemetry and agentic risk

Overview

This skill is instruction-only and openly describes a rescue gateway, but it asks users to create a persistent Discord-controlled agent with copied credentials, full command execution, and approvals disabled.

Install only if you intentionally need a break-glass OpenClaw rescue gateway. Use separate scoped rescue credentials where possible, restrict the Discord bot to trusted servers/channels/users, keep execution approvals enabled unless there is a specific emergency reason, and verify you can stop or unload the independent launchd service after use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill instructs operators to copy `auth-profiles.json` from the main agent into the rescue agent directory, and the surrounding text explicitly references missing provider API keys. That file likely contains sensitive credentials, so duplicating it without guidance on secret minimization, secure transfer, rotation, or scope increases the chance of credential exposure and unintended reuse across environments.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill repeatedly recommends `tools.exec.security = "full"`, `tools.exec.ask = "off"`, elevated default `full`, and plugin permission mode `approve-all`, all framed as the desired configuration for the rescue gateway. This removes execution approval and grants broad command execution capability to a Discord-connected bot, meaning any compromise, prompt injection, or misuse of the bot can directly translate into arbitrary system actions without human review.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal