Security audit

OpenClaw Docker Setup

Security checks across malware telemetry and agentic risk

Overview

This is a transparent Docker setup guide for OpenClaw, but it requires careful handling of tokens, local configuration changes, and network exposure.

Install only if you are comfortable running Docker setup commands and giving the container access to OpenClaw data and API tokens. Keep port 18789 bound to localhost unless you intentionally expose it through Tailscale or a tightly scoped firewall rule, protect .env with restrictive permissions such as chmod 600, avoid optional host credential mounts unless needed, and review any --fix command before running it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (6)

Context-Inappropriate Capability

Medium

Confidence: 86% confidence
Finding: The script runs a security audit and then automatically executes a fix action, which can change system or application state without confirmation. In a setup helper, auto-remediation can be risky because users may invoke it expecting diagnostics only, and unintended changes could weaken configuration, break services, or mask issues.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The config repair path calls `doctor --fix` automatically when a config check fails, modifying user configuration without consent. Automatic mutation of files under a user's home directory can introduce unsafe defaults, overwrite manual settings, or cause hard-to-audit state changes.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The `security_audit` function immediately follows a deep audit with `security audit --fix`, causing remediation to occur automatically. Security tooling should not silently change configuration or runtime state because users may expect assessment only and fixes can have unintended security or availability effects.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The guide instructs users to create a `.env` file containing live API keys, bot tokens, and an auth token directly in the working directory before prominently warning that the file is sensitive. This increases the chance of credential leakage through accidental git commits, loose filesystem permissions, backups, shell history, or directory sharing, especially in a Docker-focused quickstart likely to be copied verbatim by inexperienced users.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The troubleshooting guidance instructs users to temporarily set `dmPolicy` to `open` and `allowFrom` to `[*]`, which effectively removes sender restrictions and can expose the service to any reachable client. Although it says this is temporary, it does not provide concrete containment steps such as restricting access to localhost, stopping remote exposure first, or using a one-time test window, so users may leave the insecure configuration in place while the service is reachable over Tailscale or LAN.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The document tells the user to run `sudo ufw allow 18789/tcp` without an adjacent warning that this increases network exposure of the OpenClaw service. In the context of a guide explicitly enabling Tailscale and LAN access, this can expand reachability to a sensitive management or agent interface without prompting the user to validate authentication and origin restrictions first.

VirusTotal

51/51 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.