Back to skill

Security audit

OpenClaw Unreal Engine

Security checks across malware telemetry and agentic risk

Overview

This Unreal integration is purpose-aligned, but it needs review because it handles tokens and can overwrite an existing project plugin with weak safeguards.

Review the installer before running it and back up any existing Plugins/OpenClawUnrealPlugin folder. Use HTTPS or strictly localhost-only non-production tokens, avoid committing API keys in Unreal project assets or config, and define explicit limits for remote editor actions and telemetry before using this in a real project.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The class exposes an API key as an editable, Blueprint-readable FString with no indication of secure storage, masking, or usage guidance. In Unreal, such settings are often serialized to config/assets, surfaced in editor UI, and can be read by gameplay/editor scripts, increasing the chance of accidental disclosure through source control, logs, packaged content, or untrusted Blueprint access.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.