ClawHub

OpenClaw Course Reference

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate OpenClaw course reference, but it needs Review because its helper can read outside its reference folder and the docs include powerful setup commands with incomplete safety framing.

Treat this as a reference-only skill and do not allow an agent to run its copied shell commands automatically. Before installing or following the course, constrain the section helper to bundled module filenames, inspect remote installers, avoid privileged Docker/socket setups unless intentionally needed, verify cloud-model privacy and pricing, and keep API keys out of persistent prompt or memory files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
Findings (22)

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
`getSection(moduleFile, sectionTitle)` joins user-controlled `moduleFile` directly with `REFERENCES_DIR` and only checks `fs.existsSync`, so inputs like `../package.json` or other relative paths can escape the intended course-module set. Because the `section` CLI command passes attacker-supplied arguments straight through, this creates a path traversal/local file read issue that can expose arbitrary files readable by the process.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The document states coding agents should never run in `~/.openclaw/`, yet the referenced example invokes a coding workflow from `~/projects` while other nearby guidance and examples normalize self-modification of agent files under the OpenClaw tree. In a skill about agentic coding and self-modification, contradictory guidance can cause users or downstream agents to operate in protected directories and alter agent state, prompts, or configs unintentionally.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The section says host execution requires approval, then immediately demonstrates `gateway` execution and `elevated: true` full-system commands without showing any approval gate or warning. This weakens operator expectations and may normalize privileged command execution by agents, increasing the chance of destructive host changes if copied into real workflows.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The document presents an absolute privacy claim ('data never leaves your machine') in the local LLM section, but elsewhere recommends cloud-backed models and remote provider routing. In a guidance document, this can mislead users into sending sensitive prompts to external services under a false assumption of local-only processing.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The cost table labels cloud models such as GLM-5 as having zero token cost, while later sections describe paid cloud providers and pricing. This inconsistency can cause unsafe operational decisions, including unexpected spend and unintended routing of sensitive workloads to remote services believed to be free/local.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The script writes `GATEWAY_PASSWORD=$(openssl rand -base64 32)` literally into a quoted heredoc, so the password is not generated at install time. This can leave the deployment with an invalid, predictable, or misunderstood authentication state and may cause operators to believe a strong secret was created when it was not.

Intent-Code Divergence

Low
Confidence
95% confidence
Finding
The sample `.env` block presents shell command substitution as if `.env` parsers will execute it, but most `.env` loaders treat it as a literal string. This can result in deployments using the exact text `$(openssl rand -base64 32)` as the gateway password, weakening authentication through operator confusion.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The skill describes broad, automatic search behavior over a wide range of common topics, which can cause the skill to activate on generic user requests that only loosely match its keyword set. This increases the chance of unintended invocation, irrelevant context injection, and user confusion, though the manifest itself does not contain direct code execution or privilege-escalation behavior.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The document recommends piping a remotely fetched install script directly into a shell (`curl ... | bash`) without any integrity verification, signature checking, or warning about the trust boundary. If the hosting site, CDN, DNS, TLS termination, or upstream script is compromised, users could execute arbitrary code immediately on their machine.

Missing User Warnings

High
Confidence
99% confidence
Finding
The Docker sandbox example combines `--privileged` with a mounted Docker socket, which effectively gives the container root-equivalent control over the host. Presenting this as a normal setup step without a strong warning can lead users to deploy a configuration that defeats container isolation and enables full host takeover if the container is compromised.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The opening tool examples include overwriting files and shell execution with no immediate warning about destructive effects, trust boundaries, or user confirmation. In a capability-enablement document, this can lead users or agents to treat powerful primitives as routine and perform irreversible file or system actions without safeguards.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The Whisper API setup and workflow encourage use of a cloud transcription service but do not place a clear warning at the point of use that audio content leaves the device and may contain sensitive speech. This creates privacy risk because users may enable or automate transcription without informed consent or data-handling controls.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The coding-agent instructions promote `bypassPermissions`, `--full-auto`, and `--yolo` modes, which materially reduce interactive safeguards while enabling autonomous code changes and command execution. In the context of agentic coding, this can lead to unreviewed modifications, dependency changes, or risky shell actions propagating quickly through a project.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The examples recommend pulling and using cloud models via Ollama without warning that prompts and possibly conversation context may be transmitted to external infrastructure. In a context-and-costs guide, omission of that warning increases the risk of users disclosing proprietary or regulated data.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The configuration examples show API-key-based provider access but do not warn users about protecting credentials or the privacy implications of external API calls. This can normalize insecure handling of keys and blind use of remote inference for sensitive data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The emergency-lockdown script makes immediate disruptive firewall and service changes but does not prominently warn that it can cut off remote access or interrupt production traffic. Although the script tries to preserve the current SSH source IP, relying on SSH_CONNECTION can fail or behave unexpectedly in NAT, proxy, console, or non-SSH execution contexts, increasing lockout risk during an incident.

Ssd 3

Medium
Confidence
95% confidence
Finding
The daily memory pattern persists user topics, actions, and outcomes in plain-text files by default, encouraging storage of user-provided content without minimization, retention limits, or sensitivity checks. This can accumulate personal or confidential data in long-lived local records that other tools or agents may later read.

Session Persistence

Medium
Category
Rogue Agent
Content
#### Environment Variables

Create `~/.openclaw/.env` for sensitive values:

```bash
# API Keys
Confidence
74% confidence
Finding
Create `~/.openclaw/.env` for sensitive values: ```bash # API Keys ANTHROPIC_API_KEY=sk-ant-... OPENAI_API_KEY=sk-... BRAVE_API_KEY=... GEMINI_API_KEY=... # Channel Tokens (alternative to config fil

External Script Fetching

High
Category
Supply Chain
Content
**macOS/Linux:**
```bash
curl -fsSL https://openclaw.ai/install.sh | bash
```

**Windows (PowerShell):**
Confidence
99% confidence
Finding
curl -fsSL https://openclaw.ai/install.sh | bash

Chaining Abuse

High
Category
Tool Misuse
Content
```bash
# Install Node.js 22+ using NodeSource
curl -fsSL https://deb.nodesource.com/setup_22.x | sudo -E bash -
sudo apt-get install -y nodejs

# Verify installation
Confidence
96% confidence
Finding
| sudo

Chaining Abuse

High
Category
Tool Misuse
Content
**macOS/Linux:**
```bash
curl -fsSL https://openclaw.ai/install.sh | bash
```

**Windows (PowerShell):**
Confidence
99% confidence
Finding
| bash

Chaining Abuse

High
Category
Tool Misuse
Content
```bash
# Installation
curl -fsSL https://openclaw.ai/install.sh | bash
npm install -g openclaw@latest

# Onboarding
Confidence
99% confidence
Finding
| bash

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal