ClawHub

Openclaw Remote Install

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do remote OpenClaw installation as advertised, but it uses risky SSH and secret-handling practices that users should review carefully.

Install only if you are comfortable with a tool that can run commands and change configuration on remote hosts. Prefer SSH keys, verify host fingerprints, avoid passing passwords or API keys on the command line, protect or delete logs, and use it only against servers you control.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (8)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def run_ssh_command(ssh_cmd: str, command: str) -> tuple[str, str, int]:
    """Execute command via SSH and return stdout, stderr, returncode."""
    full_cmd = f"{ssh_cmd} '{command}'"
    result = subprocess.run(
        full_cmd, shell=True, capture_output=True, text=True
    )
    return result.stdout, result.stderr, result.returncode
Confidence
98% confidence
Finding
result = subprocess.run( full_cmd, shell=True, capture_output=True, text=True )

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill is explicitly designed for non-interactive remote installation and post-install configuration over SSH, including handling credentials, but it lacks an upfront warning about modifying remote hosts and the sensitivity of authentication material. In this context, omission of such warnings is dangerous because automation can rapidly apply changes to production-like systems and mishandle secrets without adequate operator awareness.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The documentation shows password-based authentication and direct API key arguments on the command line without warning that such values can be exposed via shell history, process listings, CI logs, and terminal recording. Because this skill also supports automation and remote configuration, the likelihood of accidental credential leakage is materially increased.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill states that installation output is automatically logged, including raw command output, but does not warn that logs may capture secrets, tokens, hostnames, or configuration values emitted during installation and setup. Given that the skill also supports credentialed remote configuration, these logs could become a secondary repository of sensitive data if left unredacted or broadly accessible.

Missing User Warnings

High
Confidence
99% confidence
Finding
The script prints `Running: {full_cmd}` after embedding the API key directly in the command when `secret_mode` is `plaintext`. This exposes secrets to terminal logs, CI logs, shell history captures, support transcripts, and other observability systems, creating straightforward credential leakage.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The SSH command uses `-o StrictHostKeyChecking=no`, which disables verification of the remote host identity. In a remote-install skill that may target VPS or cloud hosts over untrusted networks, this materially increases the risk of man-in-the-middle attacks, credential theft, and configuration being applied to an attacker-controlled host.

Missing User Warnings

High
Confidence
99% confidence
Finding
Password-based authentication is implemented with `sshpass -p '$AUTH'`, which places the SSH password in the local process command line. On many systems, other local users or monitoring tools can read process arguments, exposing credentials; this is especially dangerous in an automation skill that encourages unattended remote installs.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script remotely executes bootstrap commands and downloaded installers on target hosts, including `curl | sh` patterns, without integrity verification or a strong safety prompt. In the context of a one-click remote deployment tool, this amplifies risk because a compromised upstream, DNS/TLS interception, or operator mistake directly leads to remote code execution on the server.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal