Back to skill

Security audit

OpenClaw Setup (ModelWise)

Security checks across malware telemetry and agentic risk

Overview

This is mostly an OpenClaw setup guide, but its copyable examples can expose an AI gateway and Telegram bot too broadly and it includes an unrelated publishing script.

Install only if you intend to run an OpenClaw gateway and are prepared to review its access controls. Prefer binding to 127.0.0.1 unless LAN exposure is intentional, keep token authentication enabled, use Telegram pairing or explicit allowlists instead of open wildcard access, avoid printing bot tokens in shared terminals, treat reset commands as destructive, and do not run publish.sh unless you specifically mean to publish a ClawHub skill.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (12)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The configuration enables a Telegram integration in a skill whose stated purpose is installation and initial setup. Adding a network-facing messaging interface expands the attack surface and can expose the agent to unsolicited remote interaction that is not necessary for setup tasks.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The Telegram configuration is openly accessible with dmPolicy set to "open" and allowFrom set to ["*"], meaning any Telegram user could potentially interact with the bot. In the context of a setup skill, this is especially dangerous because it exposes a newly configured system to untrusted remote input without clear operational need.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Browser automation is enabled even though it is not required for basic installation or initial configuration. Unnecessary browser control increases the local attack surface, may execute untrusted web content, and can be abused by downstream agent actions if other controls fail.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The file is presented as part of an OpenClaw installation/setup skill, but the script actually performs ClawHub package publication and account checks rather than user-facing OpenClaw setup. This mismatch is dangerous because users or agents invoking the skill for installation help could unintentionally run repository-maintainer operations that publish content remotely under the authenticated account.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
This script includes remote publication capability via `clawhub publish`, which is unrelated to installing or configuring OpenClaw and can act on the user's authenticated ClawHub account. In the context of a setup skill, this expands privilege and can cause unauthorized or accidental publication of a skill package, making the mismatch materially riskier than a normal developer utility script.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The reset section instructs users to recursively delete the entire ~/.openclaw directory (or Windows equivalent), which can erase configuration, credentials, logs, sessions, memory, and other local state. Even though it is presented as troubleshooting guidance, it lacks a prominent warning about irreversible data loss and could cause accidental destruction when copied blindly.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The example configuration binds the gateway to 0.0.0.0, exposing it on all network interfaces, and the Telegram example recommends dmPolicy set to open, allowing messages from anyone. In a setup guide, these insecure defaults are risky because users often copy example configs verbatim, potentially exposing a local AI gateway to unsolicited or unauthorized access.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guide presents a public Telegram bot configuration using `dmPolicy: "open"` and `allowFrom: ["*"]` without an explicit warning that this exposes the bot to unsolicited messages from anyone. In an installation guide, users may copy this default-looking example directly, which can unintentionally make a newly deployed assistant publicly reachable and increase privacy, abuse, and prompt-injection exposure.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The always-active group configuration sets the bot to respond to all group messages, but the guide does not clearly warn that this causes processing of every message in the chat. In the context of an AI gateway setup guide, this can lead to unintended monitoring of conversations, privacy issues, higher operational cost, and greater exposure to malicious or accidental triggering.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The configuration example documents an externally reachable gateway by showing `bind: "0.0.0.0"` and optional `tailscale.funnel` support without any warning about exposure risk, authentication requirements, or the consequences of public access. In an installation/configuration skill, users are likely to copy these defaults directly, which could unintentionally expose the OpenClaw gateway to a LAN or broader network and increase the chance of unauthorized access if auth/TLS are weak or misconfigured.

External Script Fetching

Low
Category
Supply Chain
Content
```bash
# Install nvm
curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.1/install.sh | bash

# Reload shell
source ~/.zshrc  # or ~/.bashrc
Confidence
88% confidence
Finding
curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.1/install.sh | bash

Chaining Abuse

High
Category
Tool Misuse
Content
```bash
# Install nvm
curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.1/install.sh | bash

# Reload shell
source ~/.zshrc  # or ~/.bashrc
Confidence
93% confidence
Finding
| bash

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.