OpenClaw 插件安装常见问题排查

Security checks across malware telemetry and agentic risk

Overview

This is a troubleshooting-only skill whose npm install advice is relevant to its purpose, though users should be cautious with global installs and --force.

Before installing, confirm package names and sources from official documentation. Prefer normal npm install and permission-fix steps first; use global installs or --force only when you understand they may overwrite or alter system-wide npm package state.

SkillSpector

By NVIDIA

Vulnerability Patterns

Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill explicitly recommends `npm i -g clawhub --force` as a fix for Windows installation issues, but does not warn that `--force` bypasses normal safety checks and can overwrite or mask underlying dependency, permission, or package-state problems. In a troubleshooting skill, users are likely to copy-paste commands directly, so this guidance can lead to unstable installs or unintended package-state changes.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The general troubleshooting section normalizes `npm install -g 插件名 --force` as one of several standard installation methods without any cautionary text. Presenting force install as routine guidance increases the chance that users will apply it indiscriminately, potentially corrupting package state, concealing root causes, or overriding safeguards during installation.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal