Security audit

clawgate

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed OpenClaw governance skill that changes confirmation behavior, with no executable code or hidden install behavior found.

Install this only if you want OpenClaw to reduce confirmations for routine and medium-risk work. Review the MEDIUM examples carefully, especially internal sends, local restarts, temporary cleanup, and limited API calls; keep runtime approval policy enabled for destructive, credential, shared-routing, external-delivery, or costly actions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (4)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The trigger phrase "Inspect the gateway config and tell me whether delivery routing looks risky" is broad enough that it could match routine diagnostic or advisory requests without strong OpenClaw-specific boundaries. In a governance skill, overbroad activation can cause the skill to intercept normal conversations and apply policy logic unexpectedly, which can misroute user intent or suppress safer default behavior.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The phrase "Send the summary to our internal Feishu engineering group" lacks strong scoping and could overlap with ordinary communication tasks, causing this governance skill to trigger on routine internal messaging. Because the skill changes execution/confirmation behavior, accidental activation can bypass intended checks or classify unrelated messaging actions under this skill's policy model.

Vague Triggers

High

Confidence: 96% confidence
Finding: The destructive command "Delete tmp/watchdog-test-cache and recreate it" is paired with execute-directly behavior and a medium risk rating, even though deletion operations are inherently sensitive and the trigger text is generic. In this governance skill, that combination is dangerous because a common-sounding delete request could be auto-approved without confirmation, increasing the chance of unintended data loss if path assumptions are wrong or context is spoofed.

Autonomous Decision Making

Medium

Category: Excessive Agency
Content: Default OpenClaw posture: - low-risk work should not ask again - medium-risk work should normally execute without confirmation - high-risk work should always stop for a second confirmation - critical work should stop for itemized approval with no bundled authorization
Confidence: 90% confidence
Finding: without confirmation

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal