Back to skill

Security audit

Everclaw — Inference You Own

Security checks across malware telemetry and agentic risk

Overview

This skill mostly matches its stated always-on decentralized inference purpose, but it bundles high-impact wallet, persistence, remote reinstall, device-fingerprinting, and unrelated repository-rewrite tools that need careful review before installation.

Install only if you intentionally want a persistent Morpheus/OpenClaw infrastructure stack that can manage wallet-backed inference. Prefer manual review and pinned installs over curl | bash, use the gateway-only setup if you do not need local wallet staking, avoid running the repository-rewrite scripts, do not use export-key except in a controlled terminal, set explicit swap slippage and approval amounts, and review the launchd/pmset changes before enabling always-on mode.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (134)

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
Bundling host auditing and prompt-injection/security toolchains inside an inference skill creates a scope mismatch that can mislead users about what will inspect local files, configs, or logs. Even if intended defensively, these tools can access sensitive host data and should not be silently inherited by a routing skill.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
A general task-planning and shift-execution engine is unrelated to core inference delivery and introduces autonomous workflow behavior into a networking/wallet skill. Combining these functions increases the chance of unintended actions and makes risk review harder because execution logic is hidden inside a broadly scoped package.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The always-on power-management feature changes system-wide macOS sleep behavior, installs persistence, and affects device security/availability beyond what is necessary for an inference router. Such host-level configuration changes can materially alter power, physical security, and operational posture if enabled without clear isolation and consent.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This script performs host security auditing and remediation for a 'Clawdbot' installation, which is materially outside the stated everclaw inference/router functionality. Capability drift like this is dangerous because users may install the skill for model routing but unknowingly grant it visibility into local security posture and configuration, expanding the attack surface and normalizing unrelated privileged behavior.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Inspecting /etc/ssh/sshd_config gives the skill awareness of system-wide hardening state unrelated to inference routing, and it may encourage execution in elevated contexts to access privileged files. In the context of an agent skill, this is risky because it reaches beyond app-local configuration into host administration, which could be repurposed for reconnaissance or privilege-seeking behavior.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The --fix path changes filesystem permissions with os.chmod based on accumulated findings, giving the skill host-remediation capabilities not justified by the manifest. Even though the current logic targets ~/.clawdbot paths, bundling mutation of local security settings into an unrelated inference skill increases trust requirements and can cause unintended or unsafe changes if paths or findings evolve.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The code derives a stable device fingerprint from hostname, MAC address, platform, and username, then transmits it to a remote service. Although the values are hashed before transmission, the fingerprint is still a persistent identifier derived from device/user attributes, so the claim that 'no PII is exposed' is misleading and undermines informed consent and privacy expectations.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script's stated purpose is syncing the EverClaw ecosystem, but it also reaches into a separate repository under $HOME and may update it automatically. This creates unexpected cross-repository side effects, violates least surprise, and can modify user workspace state outside the declared scope of the command.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
This script is not limited to inference/router support; it can execute live token swaps and grant on-chain spending approvals using a locally stored private key. That materially expands the trust boundary and creates direct fund-loss risk, especially because the swap path uses amountOutMinimum: 0, allowing extreme slippage or sandwich/front-running losses, and the approve flow defaults to unlimited allowance.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The export-key command prints the raw private key to stdout, which can be captured by shell history, logs, terminal recorders, parent processes, CI runners, or other local monitoring tooling. Exposure of the private key gives complete control over the wallet and all assets, making this a direct credential-compromise path.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
This script bulk-clones, rewrites, and force-pushes history across many external repositories, which is a destructive capability unrelated to the stated AI inference/router purpose of the skill. In an agent context, this creates a high-risk supply-chain and integrity hazard because accidental or unauthorized execution could rewrite project history at scale and disrupt multiple repositories.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The file's behavior materially differs from the skill's declared purpose: instead of inference or routing, it performs bulk PII/history scrubbing and remote history rewrites. That mismatch increases the chance that users or orchestrating agents invoke dangerous repository-modifying behavior they did not expect, especially in a broadly scoped automation package.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The script bulk-clones dozens of external repositories, applies automated edits, commits them, and pushes to remote branches with no per-repo authorization or approval gate. In an agent skill whose stated purpose is AI inference/routing, this creates a dangerous supply-chain modification capability that could silently rewrite many repositories and propagate harmful or incorrect changes at scale.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
This code establishes an organization-wide repo rewriting workflow unrelated to the skill's advertised inference/router function, indicating excessive and mis-scoped privileges. Such hidden or unnecessary write access increases the risk that an agent using the skill could alter unrelated codebases or be abused for mass tampering.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The script deletes tracked repository content as part of a batch process, but does not validate whether the file is safe to remove or whether deletion is appropriate for each target repo. In a mass-edit tool, unconditional file deletion can cause data loss, broken builds, or removal of legitimate project artifacts.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The script embeds a remote self-reinstallation path and later executes it automatically as part of recovery logic. In a long-running watchdog context, this creates a high-risk remote code execution/update channel unrelated to simple health checking, especially because the fetched installer is trusted implicitly and can change over time.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The installer is presented as a dependency/setup wrapper, but it invokes remote installation flows and privileged package manager operations that execute code fetched from the network. This expands trust far beyond a simple dependency check and creates a supply-chain risk if any upstream install script or repository is compromised.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The script performs full local deployment by cloning a repository into the OpenClaw workspace and running npm install, which executes arbitrary package lifecycle scripts from the fetched codebase. For an installer, this materially increases the attack surface and trust placed in remote code and transitive dependencies.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The installer goes beyond local setup and automatically invokes a bootstrap script that retrieves a starter key from an external EverClaw-controlled server. This expands trust to an undisclosed credential issuer and can expose the user to unauthorized credential provisioning, tracking, or receipt of malicious configuration/material during installation.

Context-Inappropriate Capability

Low
Confidence
84% confidence
Finding
Running `npm install --production` during installation executes dependency resolution and potentially package lifecycle scripts from the project tree, which is far beyond a simple binary installer. If dependencies or the local package manifest are compromised, arbitrary code may run on the user's machine during install.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The launcher retrieves a blockchain private key from 1Password or Keychain and exports it into the process environment for a long-running service. Even if operationally intended, this significantly expands the secret's exposure surface because environment variables can be inherited by child processes, exposed in diagnostics, or accessed by other local tooling running under the same user context.

Intent-Code Divergence

Low
Confidence
84% confidence
Finding
The script comments imply limited config loading, but `set -a; source .env` imports and executes the entire `.env` file in the current shell. If `.env` is modified or contains shell code rather than simple assignments, an attacker with write access to that file can execute arbitrary commands in the launch context and influence all exported variables.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The /health endpoint returns live sessionId values for active upstream Morpheus sessions. Even if the proxy is intended for local use, exposing bearer-like session identifiers through a diagnostics endpoint increases the risk of session hijacking, lateral misuse by other local users/processes, and accidental leakage via logs, monitoring, or HTTP exposure if the bind host is widened.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script retrieves a wallet private key by first pulling a 1Password service token from macOS Keychain and then using it to reveal the wallet secret at runtime. In the context of an AI inference/router skill, this is an unnecessary credential-access capability that expands the blast radius substantially: running the skill enables access to signing material that can authorize irreversible on-chain transactions.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
This file performs live token approvals and swaps on Base through Uniswap, which is materially outside the expected behavior of an inference/model-routing skill. That mismatch is dangerous because users may grant trust to the skill for AI operations while the script can spend assets and execute irreversible financial transactions.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.env_credential_access, suspicious.exposed_secret_literal (+3 more)

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/bootstrap-everclaw.mjs:154

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/bootstrap-gateway.mjs:98

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/coingecko-x402.mjs:28

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/everclaw-deps.mjs:212

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/everclaw-wallet.mjs:54

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/setup.mjs:202

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/x402-client.mjs:88

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/morpheus-proxy.mjs:21

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/x402-client.mjs:46

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/bootstrap-gateway.mjs:315

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/everclaw-wallet.mjs:123

Install source points to URL shortener or raw IP.

Warn
Code
suspicious.install_untrusted_source
Location
templates/flavors/morpheusclaw/cron-jobs.json:22

Install source points to URL shortener or raw IP.

Warn
Code
suspicious.install_untrusted_source
Location
templates/openclaw-config-linux.json:49

Install source points to URL shortener or raw IP.

Warn
Code
suspicious.install_untrusted_source
Location
templates/openclaw-config-mac.json:47

Sensitive-looking file read is paired with a network send.

Warn
Code
suspicious.potential_exfiltration
Location
scripts/morpheus-proxy.mjs:84

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
prompt-guard/blog/how-i-secured-my-ai-agent.md:12

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
prompt-guard/README.md:34

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
prompt-guard/SKILL.md:30