OpenClaw Growth Pack

Security checks across malware telemetry and agentic risk

Overview

This skill is transparent about configuring OpenClaw, but it changes core agent behavior, exposes token values in local output, and can create persistent self-check routines without enough scoping or cleanup guidance.

Install only if you intentionally want this OpenClaw instance to change its model configuration and adopt persistent anti-stall or autonomy routines. Redact token values before running or sharing the audit output, review every proposed file change first, and keep a rollback list for AGENTS.md, HEARTBEAT.md, memory files, provider overrides, and any scheduled jobs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill explicitly instructs the agent/user to create or modify local configuration and operational files such as AGENTS.md and HEARTBEAT.md, which changes system behavior and persistence without any explicit warning, confirmation gate, or scope limitation. In a security context, silent modification of local config and agent-control files can alter execution policy, persistence, and autonomy in ways the user may not fully understand.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal