Security audit

Openclaw Plugin

Security checks across malware telemetry and agentic risk

Overview

hopeIDS is a coherent security-scanning skill, but users should understand it can inspect messages and use optional LLM, quarantine, and alerting integrations.

Install only if you want a plugin that can inspect and sometimes block agent messages. Review the hopeid npm package before running setup, disable useLlmTask/classifierAgent/llmEndpoint and Telegram alerts if prompts or incident metadata must stay local, set an appropriate quarantineDir and cleanup policy, and consider setting trustOwners to false for higher-risk deployments.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (4)

Intent-Code Divergence

Medium

Confidence: 77% confidence
Finding: The trust command claims a sender will not be scanned in the future, but trust is only applied if the IDS instance is currently initialized and there is no persistence across restarts. This can create a dangerous false sense of exemption for operators, causing inconsistent enforcement and potentially allowing high-risk workflows to proceed under mistaken assumptions about who is trusted.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The plugin forwards message content to an external llm-task classifier, which may involve third-party processing of potentially sensitive user or system data. Even though this is part of a security feature, sending raw content off-box without explicit disclosure, consent, or minimization increases privacy and compliance risk and broadens the attack surface to the external provider.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The classifier-agent path sends user messages to another agent for analysis without any user-facing disclosure or clear policy boundary. In multi-agent systems, forwarding content to another component can expose sensitive prompts, secrets, or regulated data beyond the original processing context, especially if the classifier agent is operated separately or logged differently.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The manifest explicitly enables Telegram alerts by default and describes sending alerts for blocked messages, but it does not warn users that message-derived security event data may be transmitted to an external third-party service. In a security-scanning plugin, blocked content may include sensitive user prompts, metadata, or incident details, so omission of this disclosure can lead to unintended data exfiltration and privacy/compliance risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal