ClawHub

easy-openclaw

Security checks across malware telemetry and agentic risk

Overview

This appears to be a genuine OpenClaw setup helper, but it can handle credentials and make broad persistent changes, so users should review it carefully before installing.

Install only if you are comfortable letting this skill modify OpenClaw configuration, handle bot credentials, install third-party components, create backups/Cron jobs, and restart the gateway. Before approving execution, ask for an exact dry run showing file diffs, commands, credentials touched, new jobs, backup location, and rollback steps; avoid broad exec allowlists on important systems.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
This section expands the skill from configuration advice into active onboarding that solicits and handles sensitive channel credentials such as Discord tokens, Telegram bot tokens, and Feishu app secrets. Even if intended for legitimate setup, collecting secrets inside a conversational skill increases the chance of accidental disclosure, logging, mishandling, or use beyond the user’s original expectation of 'optimization'.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The instructions direct the agent to read an existing Discord token from configuration and use it with live API calls to infer server identifiers from session metadata. Accessing stored tokens and external APIs to derive additional identifiers increases privilege use and data exposure, especially when done automatically rather than only after narrowly scoped user approval.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill goes beyond configuration guidance by suggesting automatic Docker installation as part of reaching a preferred security mode. Installing system software changes the host substantially and may require elevated privileges, which is not necessary for a configuration wizard and expands the blast radius of the skill. In this context, the issue is more dangerous because the skill normalizes host modification during a routine optimization flow.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The recommended exec approval allowlist broadly auto-allows powerful binaries such as git, npm, bun, pip, and python. Allowing whole binaries rather than tightly scoped subcommands can permit destructive or exfiltrative operations like git push/reset, package publication, arbitrary script execution, or dependency-install hooks without further approval. This is especially risky in a configuration wizard because users may trust the defaults and unknowingly weaken execution controls.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
Configuring approval notifications to external chat accounts extends the skill from local configuration into outbound data routing and account targeting. Even if intended for convenience, approval prompts can leak command context, filenames, or operational metadata to third-party messaging platforms and create unintended notification channels. This is more dangerous here because the skill presents it as a recommended configuration step rather than an optional integration with privacy warnings.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The guidance explicitly instructs the agent to read a Discord bot token from the local OpenClaw config and use it in direct API calls. Even if intended for convenience, this expands the skill from configuration advice into credential access and outbound authenticated requests, creating unnecessary secret handling and increasing the risk of token exposure, misuse, or use in the wrong account context.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README explicitly instructs users to install the skill, follow prompts, then confirm automatic configuration writes and restart the Gateway, but it does not clearly warn that the skill will modify live system configuration and trigger a service restart. In a skill that targets novice users and emphasizes one-click optimization, this can lead to uninformed approval of potentially disruptive or risky changes, especially if credentials, permission modes, or channel integrations are being altered.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger phrases are broad and include common help-seeking language such as '配置向导', '初始化', and '一键整理配置', which can cause the skill to activate in ordinary conversation without a narrowly scoped user request. In this skill, unintended activation is more dangerous because the workflow includes environment checks, reading local state, backup/restore prompts, and potential configuration changes or restarts once the user proceeds.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to inspect '~/.openclaw/workspace/memory/' for a nickname before greeting the user, but it does not require prior notice or consent. Reading persisted memory data without an explicit warning violates user expectations and can expose personal or sensitive context even before the user agrees to the configuration workflow.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill instructs the agent to summarize daily conversations into persistent memory files without warning that sensitive chat content may be stored long-term. This can capture secrets, personal data, or confidential business context and make later compromise or accidental disclosure more damaging. The risk is elevated because the archival is framed as a routine optimization feature.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill recommends third-party web extraction endpoints without warning that visited URLs and retrieved page content may be transmitted to external services. Users may unknowingly send private links, internal URLs, or sensitive browsing targets outside their environment. In a setup wizard, presenting these services as defaults increases the chance of silent data disclosure.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This instruction directs the agent to deploy a nightly Cron Job and modify security rules automatically based on an external guide, but it does not require explicit user confirmation, scope review, or a warning about operational side effects. In an agent skill context, that is risky because it can cause persistent system changes, alter access controls, and create recurring execution without the user fully understanding what will be changed.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The guide instructs extracting a Discord bot token directly from the user's local config and using it in troubleshooting steps, but provides no credential-handling safeguards such as masking, least-privilege guidance, or warnings not to paste or log the token. In an agent skill context, this is risky because users may expose a live bot secret in terminal history, screenshots, shared transcripts, or follow-on debugging, enabling account takeover of the bot.

Session Persistence

Medium
Category
Rogue Agent
Content
```bash
BACKUP_DIR="$HOME/openclaw-backups"
mkdir -p "$BACKUP_DIR" 2>/dev/null || BACKUP_DIR="$HOME/.openclaw/backups"
mkdir -p "$BACKUP_DIR"
cd ~ && zip -r "$BACKUP_DIR/backup-openclaw-all-$(date +%Y%m%d-%H%M%S).zip" .openclaw/ -x ".openclaw/backups/*"
```
Confidence
85% confidence
Finding
mkdir -p "$BACKUP_DIR" cd ~ && zip -r "$BACKUP_DIR/backup-openclaw-all-$(date +%Y%m%d-%H%M%S).zip" .openclaw/ -x ".openclaw/backups/*" ``` 规则: - 备份目录优先放在 `~/.openclaw/` 之外,避免“滚雪球”。 ## 2. 读取并深度合并配置

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal