Security audit

OpenClaw Boot Camp

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed OpenClaw CLI-reference generator with optional online documentation enrichment, not evidence of malware or deceptive behavior.

Install only if you are comfortable running a local bash script that invokes your installed OpenClaw CLI and writes into ~/.openclaw. Choose local-only mode if you want no network access; use enrich mode only if you accept fetching documentation from docs.openclaw.ai and incorporating it into the generated note. Back up an existing openclaw-cli-reference.md before using --yes.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 82% confidence
Finding: The skill advertises executable shell usage (`bash bootcamp.sh`) but the manifest shown in `SKILL.md` does not declare corresponding permissions. Undeclared execution capability is risky because users and higher-level policy controls may assume the skill is documentation-only, while it can actually run local commands and inspect the installed CLI environment.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 89% confidence
Finding: The description emphasizes local discovery from the installed version, but the documented behavior also includes optional enrichment against `docs.openclaw.ai`. This mismatch can mislead users into approving a seemingly local-only utility that performs network access and remote content scraping, which expands the attack surface and may expose environment metadata or retrieve untrusted content.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The skill is described as generating a reference from the installed CLI, but enrichment mode also pulls remote content from docs.openclaw.ai and incorporates it into the generated notes. This creates a trust-boundary violation and can expose metadata such as IP/network access, while also allowing untrusted remote content to influence agent-facing documentation.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The script adds network-fetching capability that is not essential to the core local CLI-discovery function as presented to the user. In an agent skill context, undisclosed outbound requests are risky because they expand attack surface, permit remote influence over generated artifacts, and may violate expectations for offline/local tooling.

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The UI claims that no APIs or tokens are used during the process, yet the script can perform remote HTTP requests in enrich mode. Even if no authentication token is sent, this is still misleading because it downplays network activity and may cause users or agents to authorize behavior they would otherwise reject.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal