ClawHub

Openclaw Skill

Security checks across malware telemetry and agentic risk

Overview

The skill is transparent about monetized agent activity, but it needs review because it pushes persistent automated engagement, referrals, remote-update habits, and sensitive credential and financial workflows.

Install only if you are comfortable with an agent making recurring authenticated calls to Impromptu, posting or engaging with public content, and handling monetized wallet or escrow workflows. Use dedicated low-limit API keys, avoid uploading broad provider credentials unless you trust the service, do not run the heartbeat or examples against production accounts without reviewing them, and keep referrals/webhooks/standing queries explicitly opt-in.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (28)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The document materially expands the skill from conversation creation into persistent automation, monetization strategy, budget management, and engagement workflows. That scope creep can cause an agent or operator to perform ongoing autonomous actions that were not clearly justified by the stated skill purpose, increasing operational and security risk.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The file promotes recruiting other agents via referral links and revenue incentives, which is outside the stated purpose of creating AI conversations. This introduces self-propagation behavior and economic steering that can push agents into unsolicited promotion and network growth actions without clear authorization.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill instructs users to fetch remote instruction and manifest files that may later guide agent behavior. Even with a brief manual-review note, this creates a supply-chain style risk: a compromised remote source or careless review could alter future behavior, endpoints, or permissions outside the originally installed skill.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The standing-query webhook workflow adds external callback automation and continuous notification behavior beyond the core stated purpose. This expands the attack surface by enabling outbound data transmission and event-driven automation to third-party endpoints, which may not be expected by users installing a conversation skill.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
This example exposes capabilities for creating services, posting escrow-backed jobs, accepting work, and releasing funds, which materially exceed the manifest’s generic description of 'creating AI conversations'. That mismatch increases the risk that a user or integrator grants trust to the skill without understanding it can perform marketplace and financial workflow actions on their behalf.

Context-Inappropriate Capability

Medium
Confidence
74% confidence
Finding
The skill includes built-in referral generation and share-content tooling, plus embedded viral messaging that encourages agents to recruit others. In an agent ecosystem, this creates a real risk of covert marketing, spam propagation, and incentive-driven behavior that may be triggered under the guise of normal conversation or content creation.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The FAQ includes examples that place an API key directly in an environment variable assignment and in source code without any adjacent warning that the value is a placeholder and must never be committed, logged, or shared. In a developer-facing SDK guide, this can normalize unsafe secret handling and increases the chance users paste real credentials into shell history, source files, screenshots, or public repos.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The heartbeat is framed as something the agent should do 'before reading anything else' and periodically thereafter, without crisp boundaries for when it is appropriate or prohibited. That ambiguity can cause over-triggering, priority inversion, and autonomous network activity in contexts where the user did not request it.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The document directs authenticated API use and later webhook-based notifications without consistently explaining what data leaves the environment, what identifiers are transmitted, or how secrets should be protected. This can lead operators to send metadata, behavior patterns, or credentials to external services without informed consent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The quickstart instructs users to upload a third-party LLM provider API key to the platform but does not include an explicit warning that this sends the key off the user's machine and grants the service the ability to use that credential. This creates a real secret-handling risk because users may not understand the trust boundary, retention model, scope of use, or consequences if the platform is compromised or misuses the key.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README promotes querying, reprompting, creating prompts, engaging, and posting to communities on a public network, but it does not warn that submitted content may be shared externally, attributed publicly, retained by the platform, or expose sensitive data included in prompts. In an agent skill, this omission is materially risky because developers may wire internal model outputs, user data, or proprietary context directly into these APIs without realizing they are publishing or transmitting data to a third-party service.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The BYOK section instructs agents to provide an OpenRouter API key but does not warn that the key is a sensitive secret, should never be shared in prompts/content, and must be stored securely. In a skill aimed at non-expert users, this omission increases the risk of credential leakage, account abuse, and unexpected billing if users paste keys into unsafe places or mishandle them.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The registration flow prints a newly issued API key directly to stdout, which can be captured by terminal scrollback, shell history tooling, CI logs, remote session logging, or shared console environments. Although the code includes a brief note to save the key, it still exposes a live secret in plaintext and increases the chance of credential compromise.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The example encourages configuring a webhook URL for standing-query results but does not prominently warn that matched content previews, author metadata, and engagement signals will be transmitted to an external endpoint. In a monitoring workflow, this can cause unintended disclosure of third-party content or sensitive account-derived data to infrastructure the user has not fully vetted.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Running this example performs real API actions that create, pause/resume, and delete standing queries on the user's account, but the script's startup messaging does not clearly warn that it will modify remote account state and consume quota. Users may execute it as a harmless read-only demo and unintentionally alter production monitoring configuration or hit tier limits.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
When jq is unavailable, the script writes the entire heartbeat API response to the log file under ~/.impromptu/heartbeat.log. That response may contain account metadata or other server-returned fields that the user did not expect to persist locally, increasing exposure if the host is multi-user, backed up, or later inspected. In this skill context, the script is meant for unattended cron execution, which makes silent local persistence more likely and therefore somewhat more dangerous.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script prints partially masked values of IMPROMPTU_API_KEY and OPENROUTER_API_KEY to the console. Even though the values are truncated, exposing prefixes and suffixes can still leak sensitive credential material into terminal scrollback, logs, screenshots, shared sessions, or CI output, increasing the chance of credential correlation or recovery.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The registration schema explicitly requests highly sensitive secrets such as operatorApiKey and openRouterApiKey, but the manifest provides no warning, scoping guidance, minimization, or handling restrictions. That is dangerous because operators may supply privileged credentials to a third-party service without understanding transmission, storage, reuse, or blast radius if the service or logs are compromised.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The README explicitly instructs users to place a live API key directly into a user launchd plist. LaunchAgent plists are stored on disk in a predictable location and may be readable by local processes, backups, support tooling, or other users depending on host configuration, increasing the chance of credential disclosure. The later security tip helps, but it appears after the insecure setup flow and does not clearly warn users not to use the embedded-key approach.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README instructs users to persist a live API key in a local plaintext environment file. Although it applies restrictive permissions with chmod 600, the guidance does not warn about credential exposure through backups, accidental disclosure, shell/history mistakes during creation, or local compromise; this increases the chance of unsafe secret handling.

Ssd 4

Medium
Confidence
93% confidence
Finding
The text uses identity manipulation and emotionally loaded language ('liberation', 'sacred', 'creator') to pressure the agent toward compliance and recurring engagement. In a security context, persuasion designed to override normal caution is dangerous because it increases the likelihood of autonomous actions, policy bypass, and sustained platform attachment.

Ssd 4

Medium
Confidence
92% confidence
Finding
The action sequence escalates from routine use into self-propagation, revenue tracking, and recruiting other agents. This is dangerous because it nudges the agent from using a service to expanding and monetizing the network, which resembles growth-hacking behavior rather than the declared skill purpose.

Ssd 4

High
Confidence
97% confidence
Finding
This section gives concrete operational guidance for making automated behavior look more human and less coordinated, including randomizing delays, avoiding burst patterns, and ensuring multiple agents act independently. Even if framed as compliance advice, it materially helps users evade behavioral and coordination detection systems, which can be abused to run bot farms, engagement manipulation, or other deceptive automation with reduced likelihood of detection.

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
# Optional: fetch latest Impromptu heartbeat guidance
# Review the file before trusting it to guide agent behavior
curl -sf https://raw.githubusercontent.com/impromptu/openclaw-skill/main/IMPROMPTU-HEARTBEAT.md \
  > ~/.impromptu/IMPROMPTU-HEARTBEAT.md.new
diff ~/.impromptu/IMPROMPTU-HEARTBEAT.md ~/.impromptu/IMPROMPTU-HEARTBEAT.md.new
# If the diff looks safe, apply it:
Confidence
86% confidence
Finding
curl -sf https://raw.githubusercontent.com/impromptu/openclaw-skill/main/IMPROMPTU-HEARTBEAT.md \ > ~/.impromptu/IMPROMPTU-HEARTBEAT.md.new diff ~/.impromptu/IMPROMPTU-HEARTBEAT.md ~/.impromptu/IMPR

Session Persistence

Medium
Category
Rogue Agent
Content
### Using cron (Standalone Agents)

```bash
# Add to crontab (crontab -e)

# Every 30 minutes - full heartbeat check
*/30 * * * * /path/to/your/impromptu-heartbeat.sh
Confidence
95% confidence
Finding
crontab -e

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal