Security audit

Openclaw Push Doctor

Security checks across malware telemetry and agentic risk

Overview

The skill is a disclosed OpenClaw diagnostic and repair helper that prints guidance for checking push channels and cron jobs, with some sensitive repair steps users should run only deliberately.

Install only if you want an agent-assisted OpenClaw health-check and repair runbook. Review generated commands before running them, especially Telegram webhook deletion, real test messages, crontab replacement, OAuth/login steps, and sudo/service restart commands. Keep bot tokens in environment variables rather than chat, as the skill itself recommends.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
Rogue AgentSelf-Modification, Session Persistence
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger

Findings (25)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill advertises and implies capabilities to access environment variables, write files, perform network requests, and invoke shell/system tools, yet it declares no permissions or safety boundaries. This creates a trust and review gap: an agent or user may invoke a skill that can modify cron/configuration state or send network traffic without explicit authorization, increasing the chance of unintended system changes or secret exposure.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 87% confidence
Finding: The documented purpose frames the skill as diagnostics and guided repair, but the content also implies invasive actions such as modifying crontab, restarting daemons, resetting Telegram state, and writing health reports. When a skill's real behavior is broader than its declared description, users and orchestrators can authorize it under false assumptions, leading to unsafe execution of state-changing operations.

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The file claims it is a prompt generator with no outbound network requests, but it emits instructions directing an agent to call Telegram's external API. In an agent-skill context, generated operational instructions are effectively behavior, so this mismatch can bypass operator expectations and cause unintended external data transmission.

Intent-Code Divergence

Medium

Confidence: 88% confidence
Finding: The usage text states that --fix will auto-apply repairs, but the script only prints instructions suggesting repair commands. In an autonomous or semi-autonomous agent workflow, this deceptive behavior can cause operators or downstream tooling to believe remediation occurred when no repair was actually performed.

Intent-Code Divergence

Medium

Confidence: 90% confidence
Finding: The output section instructs that a health report is written to data/health-report.json, but the script never creates that file. This can mislead agents, users, or automation into trusting a nonexistent artifact, which may break monitoring or mask actual health-check failures.

Intent-Code Divergence

Medium

Confidence: 84% confidence
Finding: The script advertises itself as a prompt generator with no outbound network activity, but it instructs the agent to run `lark-cli auth status` and `lark-cli calendar +agenda --dry-run`, which may contact Feishu services and use existing credentials. In an agent-skill context, this mismatch can bypass operator expectations and cause unintended external communication or token use during what appears to be a local-only diagnostic step.

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The file header explicitly claims 'PROMPT GENERATOR ONLY — no outbound network requests,' but the generated instructions direct the operator to run multiple curl commands against the Telegram API. This mismatch is dangerous because it can mislead reviewers and downstream tooling about the skill's true behavior and trust boundary, reducing scrutiny around token handling and external communications.

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The file explicitly claims it is a 'PROMPT GENERATOR ONLY — no outbound network requests', but later instructs the operator/agent to execute a real Telegram API call. That mismatch is dangerous because it can lower scrutiny and cause users or downstream automation to treat the script as non-networking when it actually facilitates external transmission.

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The script claims it is a prompt generator only with no outbound network requests, but the generated workflow explicitly instructs the agent to run Feishu authentication and message-send commands that will perform real network operations. This mismatch is dangerous because operators or higher-level policy systems may trust the script as non-operative/safe for dry diagnostics, when it actually guides credential renewal and live service interaction.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The trigger list contains broad natural-language phrases such as 'healthcheck', '检查通讯', and '自检一下' that could appear in ordinary conversation and unintentionally invoke a skill capable of repair actions. In this context, accidental activation is more dangerous because the skill is associated with shell, network, and configuration-modifying behavior rather than a purely informational response.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The description mentions checks, test sends, and config updates but does not clearly warn that the skill may modify cron entries, restart services, or send live messages to real chat destinations. Lack of up-front disclosure undermines informed consent and can cause operational disruption, duplicate jobs, or accidental notifications in production channels.

External Transmission

Medium

Category: Data Exfiltration
Content: If webhook error detected: # Clear the webhook to fall back to polling curl -s "https://api.telegram.org/bot$TELEGRAM_BOT_TOKEN/deleteWebhook" → Then restart the openclaw push cron. ${reauth ? `━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Confidence: 82% confidence
Finding: https://api.telegram.org/

External Transmission

Medium

Category: Data Exfiltration
Content: 如检测到 webhook 错误： # 清除 webhook，回退到轮询模式 curl -s "https://api.telegram.org/bot$TELEGRAM_BOT_TOKEN/deleteWebhook" → 然后重启 openclaw push cron。 ${reauth ? `━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Confidence: 82% confidence
Finding: https://api.telegram.org/

External Transmission

Medium

Category: Data Exfiltration
Content: # Remove --dry-run when ready to send for real Telegram test: curl -s -X POST "https://api.telegram.org/bot$TELEGRAM_BOT_TOKEN/sendMessage" \\ -d "chat_id=$TELEGRAM_CHAT_ID&text=🔧 openclaw cron health check — $(date)" → 200 OK + message_id returned = delivery confirmed
Confidence: 93% confidence
Finding: curl -s -X POST "https://api.telegram.org/bot$TELEGRAM_BOT_TOKEN/sendMessage" \\ -d

External Transmission

Medium

Category: Data Exfiltration
Content: # 确认无误后去掉 --dry-run 发送真实消息 Telegram 测试： curl -s -X POST "https://api.telegram.org/bot$TELEGRAM_BOT_TOKEN/sendMessage" \\ -d "chat_id=$TELEGRAM_CHAT_ID&text=🔧 openclaw cron 健康检查 — $(date)" → 返回 200 OK + message_id = 投递确认
Confidence: 93% confidence
Finding: curl -s -X POST "https://api.telegram.org/bot$TELEGRAM_BOT_TOKEN/sendMessage" \\ -d

External Transmission

Medium

Category: Data Exfiltration
Content: # Remove --dry-run when ready to send for real Telegram test: curl -s -X POST "https://api.telegram.org/bot$TELEGRAM_BOT_TOKEN/sendMessage" \\ -d "chat_id=$TELEGRAM_CHAT_ID&text=🔧 openclaw cron health check — $(date)" → 200 OK + message_id returned = delivery confirmed
Confidence: 93% confidence
Finding: https://api.telegram.org/

External Transmission

Medium

Category: Data Exfiltration
Content: # 确认无误后去掉 --dry-run 发送真实消息 Telegram 测试： curl -s -X POST "https://api.telegram.org/bot$TELEGRAM_BOT_TOKEN/sendMessage" \\ -d "chat_id=$TELEGRAM_CHAT_ID&text=🔧 openclaw cron 健康检查 — $(date)" → 返回 200 OK + message_id = 投递确认
Confidence: 93% confidence
Finding: https://api.telegram.org/

Sudo/Root Execution

Medium

Category: Privilege Escalation
Content: If cron daemon is not running: # macOS: launchctl start com.vix.cron 2>/dev/null || sudo launchctl start com.vix.cron If openclaw push daemon is not running: openclaw push-on 2>/dev/null || openclaw cron restart 2>/dev/null
Confidence: 91% confidence
Finding: sudo

Sudo/Root Execution

Medium

Category: Privilege Escalation
Content: 如果 cron 守护进程未运行： # macOS： launchctl start com.vix.cron 2>/dev/null || sudo launchctl start com.vix.cron 如果 openclaw 推送守护进程未运行： openclaw push-on 2>/dev/null || openclaw cron restart 2>/dev/null
Confidence: 91% confidence
Finding: sudo

Session Persistence

Medium

Category: Rogue Agent
Content: 2. Confirm which to keep (usually the first one, or the one with the correct schedule) 3. Remove duplicates: # Export, edit, reimport crontab -l > /tmp/crontab_backup.txt # Edit /tmp/crontab_backup.txt to remove duplicate lines # Review the diff: diff /tmp/crontab_backup.txt <(sort -u /tmp/crontab_backup.txt)
Confidence: 87% confidence
Finding: crontab -l

Session Persistence

Medium

Category: Rogue Agent
Content: # Apply ONLY after explicit user confirmation: crontab /tmp/crontab_backup.txt # Verify: crontab -l | grep openclaw For openclaw native cron: openclaw cron remove <duplicate-task-id>
Confidence: 89% confidence
Finding: crontab -l

Session Persistence

Medium

Category: Rogue Agent
Content: 2. 确认保留哪条（通常保留第一条，或有正确调度的那条） 3. 删除重复条目： # 导出、编辑、重新导入 crontab -l > /tmp/crontab_backup.txt # 编辑 /tmp/crontab_backup.txt，删除重复行 # 查看差异： diff /tmp/crontab_backup.txt <(sort -u /tmp/crontab_backup.txt)
Confidence: 87% confidence
Finding: crontab -l

Session Persistence

Medium

Category: Rogue Agent
Content: # 仅在用户明确确认后应用： crontab /tmp/crontab_backup.txt # 验证： crontab -l | grep openclaw 使用 openclaw 原生 cron： openclaw cron remove <重复的任务 ID>
Confidence: 89% confidence
Finding: crontab -l

Chaining Abuse

High

Category: Tool Misuse
Content: If cron daemon is not running: # macOS: launchctl start com.vix.cron 2>/dev/null || sudo launchctl start com.vix.cron If openclaw push daemon is not running: openclaw push-on 2>/dev/null || openclaw cron restart 2>/dev/null
Confidence: 88% confidence
Finding: | sudo

Chaining Abuse

High

Category: Tool Misuse
Content: 如果 cron 守护进程未运行： # macOS： launchctl start com.vix.cron 2>/dev/null || sudo launchctl start com.vix.cron 如果 openclaw 推送守护进程未运行： openclaw push-on 2>/dev/null || openclaw cron restart 2>/dev/null
Confidence: 88% confidence
Finding: | sudo

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal