Back to skill

Security audit

OpenClaw Doctor

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed OpenClaw health-check helper whose repair mode can make local maintenance changes when explicitly run with --fix.

Use the default diagnostic command for read-only checks. Only run --fix when you are comfortable with local maintenance actions such as restarting the OpenClaw gateway, changing OpenClaw config permissions, and running the local log rotation helper from your workspace.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill explicitly instructs the agent to execute a shell script (`bash scripts/diagnose.sh`) and even supports `--fix`, but the metadata declares no permissions. This creates a trust and review gap: users and enforcement systems are not clearly informed that the skill can run commands and modify the host system, which is especially risky for a diagnostics skill that touches services, permissions, logs, and channels.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The invocation phrases are very broad, such as 'Run a full health check' or 'Diagnose my OpenClaw setup,' and the skill is positioned for common troubleshooting situations. Broad triggers increase the chance that the skill is invoked unintentionally during routine support conversations, which can lead to unexpected shell execution or repair actions on a live system.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill repeatedly advertises 'auto-repair' and lists system-changing actions like restarting services, fixing file permissions, rotating logs, clearing session data, and restarting channels, but it does not present a prominent warning that these actions alter system state. In context, this is more dangerous because the skill targets operationally critical infrastructure and encourages routine use, so a user may trigger disruptive or destructive changes without informed consent.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The --fix path performs state-changing actions such as restarting the gateway service without an additional confirmation prompt or a clear upfront warning of exactly what will be modified. In a diagnostic skill, users may expect read-only checks, so silent remediation increases the risk of unintended service disruption or surprise persistence-related changes.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal