ClawHub

openclaw-cleaner

Security checks across malware telemetry and agentic risk

Overview

This cleaner has a plausible purpose, but it gives an agent broad no-confirmation authority to copy, modify, and restore sensitive workspace and OpenClaw state files.

Install only if you are comfortable with an agent reading and copying broad workspace contents into .cleaner-backups and changing OpenClaw state files. Use it first on non-sensitive projects, require manual review before optimize or restore actions, and inspect or delete generated backups because they may contain private code, prompts, or secrets.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The backup/restore code operates on agent memory and configuration artifacts such as MEMORY.md, IDENTITY.md, USER.md, SOUL.md, AGENTS.md, TOOLS.md, skills/, and agents/, which exceeds a narrow 'directory cleaning' scope. In an AI-agent context, these files can contain prompts, memory, tool config, or identity/state, so broad restore capability can overwrite sensitive state or undo security-relevant changes without clear authorization boundaries.

Missing User Warnings

High
Confidence
98% confidence
Finding
The documentation explicitly states the AI may directly invoke the skill 'without user confirmation' for project-cleaning actions, while the code includes filesystem-writing operations such as snapshot creation, backups, checkpoints, and markdown rewrites. In an agent setting, removing confirmation for write-capable maintenance actions materially increases the risk of unintended integrity loss, state corruption, or destructive automation.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The installation/usage section suggests directly running the skill file but does not warn that the contained APIs perform filesystem writes and stateful operations. Even if execution details are unclear because the file is Markdown, the guidance normalizes unsafe direct execution without communicating the potential for backups, checkpoints, restores, or content rewriting.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal