ClawHub

OpenClaw Dual Agent

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only setup guide for running two OpenClaw agents, with credential and cloud-routing risks that are disclosed and aligned with its purpose.

Before installing, use dedicated provider keys and Telegram bots, restrict Telegram allowFrom to your own chat IDs, keep auth-profiles.json and openclaw.json private with restrictive file permissions, and choose the fully offline Ollama configuration if prompts or context must stay local.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Rogue AgentSelf-Modification, Session Persistence
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Session Persistence

Medium
Category
Rogue Agent
Content
**Cause:** Missing or incorrectly placed `auth-profiles.json`.

**Fix:** Create `auth-profiles.json` in the free agent's agentDir:

```bash
cat > ~/.openclaw/agents/free-agent/agent/auth-profiles.json <<'EOF'
Confidence
84% confidence
Finding
Create `auth-profiles.json` in the free agent's agentDir: ```bash cat > ~/.openclaw/agents/free-agent/agent/auth-profiles.json <<'EOF' { "version": 1, "profiles": { "openrouter:default": {

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal