OpenClaw Bootstrap

Security checks across malware telemetry and agentic risk

Overview

This skill appears purpose-aligned for self-improving agent setup, but it installs persistent automation and memory collection with weak user-facing consent controls.

Install only if you explicitly want this agent to maintain long-term local memory and run persistent hooks or scheduled jobs. Before running the bootstrap, inspect every file it will write, review the hook and cron contents, skip or remove networked installs you do not need, and confirm you know how to disable the automation and delete stored memory.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (9)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill advertises a one-command bootstrap but does not clearly warn that it will create multiple workspace files and install self-evolution hooks and scheduled cron jobs. This is dangerous because users may run it without informed consent, leading to persistent automated behavior and filesystem changes they did not expect.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The boot procedure explicitly instructs the agent to create or amend log data ('补一条' and marking '无上下文恢复') during automatic startup checks, while also saying not to proactively notify the user. That creates undisclosed persistence and record modification behavior, which can mislead operators about what was user-generated versus system-generated and weakens audit integrity.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The file states that the agent will 'automatically capture' work habits and preferences over time, but it does not define clear trigger conditions, scope limits, or review/consent boundaries. In a long-term memory file for an agent bootstrap skill, this creates a real privacy and governance risk because personal data may be persisted without the user's informed awareness or predictable rules.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The file describes persistent storage of personal information, preferences, and behavioral learnings, including automatic accumulation and scheduled retrospectives, but does not warn the user that such data will be collected and retained. In the context of a bootstrap skill that sets up self-evolution systems, hooks, and cron jobs, the absence of a clear disclosure materially increases the chance of silent long-term collection of personal data.

Natural-Language Policy Violations

Medium

Confidence: 89% confidence
Finding: Setting the preferred language to Chinese by default records a user preference without indicating that it was chosen by the user or that the value is merely a placeholder. While lower impact than broad auto-capture, it can still create incorrect profiling and demonstrates that personal preference fields may be prepopulated without consent or verification.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The file explicitly tells the agent to treat local files as persistent memory and to read and update them each session. In a bootstrap skill that sets up '.learnings + hooks + crons', this creates a durable prompt-injection and unauthorized state-modification risk: future agent behavior can be silently altered through memory files without clear user consent or change controls.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script immediately creates workspace and hook directories and copies multiple files into user-controlled locations without any explicit warning, dry-run mode, or confirmation prompt. While these writes are expected for a bootstrap tool, they still modify the user's environment and can surprise users, especially because the skill's stated purpose includes setting up persistent self-evolution components.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The script installs global software with npm and invokes clawhub to install an additional skill, both of which perform system-affecting changes and may pull unreviewed remote content. Even if intended as convenience setup, doing this without a prior warning or opt-in increases supply-chain and unexpected-modification risk.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The script copies a hook into a persistent hooks directory, enables it, and adds recurring cron jobs that automate future behavior, yet it does not clearly warn the user that long-lived automation is being installed. This is more dangerous in context because the skill explicitly sets up a 'self-evolution system,' meaning future automated actions may continue after bootstrap and may process workspace data without fresh consent.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal