Back to skill

Security audit

clawsec-suite

Security checks across malware telemetry and agentic risk

Overview

This security suite is mostly purpose-aligned, but it needs Review because it can persistently change the OpenClaw environment and its packaged verification materials do not fully support its security claims.

Install only if you want ClawSec to manage OpenClaw security monitoring. Before enabling it, verify the feed signing public key and signature/checksum artifacts are actually present or intentionally supplied through trusted CLAWSEC_* paths, review the hook and cron setup output, and avoid broad automatic activation for generic update or advisory requests.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill advertises and documents shell execution, environment-variable use, network access, and persistent hook/cron installation, but the metadata does not declare corresponding permissions. This creates a trust and review gap: operators may install it expecting low privilege while it can modify local state and invoke external tools, increasing the chance of unsafe deployment or abuse if the package contents differ from expectations.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The code documents SecurityPolicyError as something that must always propagate, but loadRemoteFeed and fetchText intentionally convert those failures into null in some paths. In a security-sensitive advisory/verification component, suppressing policy violations can hide active misconfiguration or tampering attempts and trigger unsafe fallback behavior, reducing detection and auditability.

Intent-Code Divergence

Low
Confidence
86% confidence
Finding
Remote checksum verification is enabled by default but silently skipped whenever checksum artifacts are absent, despite comments presenting this as an optional/graceful path. Because the feed signature is still checked, this is not a complete integrity bypass, but it weakens defense in depth and can mislead operators into believing artifact-level integrity verification is being enforced when it is not.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger list includes broad generic phrases such as 'security advisories', 'update skills', and 'verify skills' that can match normal user requests unrelated to this specific suite. In an agent skill system, overly broad activation increases the chance the skill runs unexpectedly, which is more sensitive here because the skill can install hooks, create cron jobs, fetch remote artifacts, and influence skill installation/removal workflows.

Session Persistence

Medium
Category
Rogue Agent
Content
echo "Checksums manifest signature and archive hash verified."

# 3) Install verified archive
mkdir -p "$INSTALL_ROOT"
rm -rf "$DEST"
unzip -q "$TEMP_DIR/$ZIP_NAME" -d "$INSTALL_ROOT"
Confidence
89% confidence
Finding
mkdir -p "$INSTALL_ROOT" rm -rf "$DEST" unzip -q "$TEMP_DIR/$ZIP_NAME" -d "$INSTALL_ROOT" chmod 600 "$DEST/skill.json" find "$DEST" -type f ! -name "skill.json" -exec chmod 644 {} \; echo "Installed

Self-Modification

High
Category
Rogue Agent
Content
"install security skills",
      "verify skills",
      "check skill integrity",
      "update skills"
    ]
  }
}
Confidence
80% confidence
Finding
update skill

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/sign_detached_ed25519.mjs:53