OpenClaw Configuration Management & Emergency Recovery

Security checks across malware telemetry and agentic risk

Overview

This is a real recovery tool, but it can persistently restart and overwrite OpenClaw configuration, skills, and project state with limited safeguards.

Install only if you intentionally want a local OpenClaw disaster-recovery system that can overwrite current config, skills, and project state and restart the gateway. Before using it, verify the stored restart command, keep backups of ~/.openclaw/rollback, restrict who can edit rollback-config.json and snapshot archives, and manually confirm any skills or project restore before running it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (13)

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The setup text correctly says the restart command must be detected and confirmed, but the sample command that writes rollback-config.json hardcodes "kill -USR1 1". If an operator follows the literal command without substituting the detected value, recovery may target the wrong process or fail entirely, silently breaking the dead-man's-switch and potentially signaling PID 1 inappropriately.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The script reads `config.restartCommand` and executes it with `execSync(..., shell: '/bin/bash')`, which allows arbitrary shell execution if the configuration is modified. In this recovery context the script is likely to run with elevated privileges and after extracting files to `/`, so a tampered config can turn a restore operation into full command execution.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: `pkill -f watchdog-timer.mjs` matches any process whose full command line contains that string, not just the intended watchdog process. This can kill unrelated processes, especially on shared systems or if an attacker deliberately names a process to match, causing denial of service or interfering with recovery behavior.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The archive extraction helper restores a tarball directly into '/' using tar -xzf ... -C /, which gives the archive authority to overwrite arbitrary absolute-path content captured earlier. In a recovery tool this may be functionally intended, but it is still dangerous because a malformed, tampered, or unexpectedly broad archive can modify files outside the OpenClaw-owned paths and cause system-wide damage or privilege-impacting changes.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger language is overly broad and includes vague phrases like any variation of recovery/rollback requests in the OpenClaw context, which can cause the skill to activate unexpectedly. Because this skill performs destructive backup, restore, restart, and watchdog actions, over-triggering increases the chance of unintended execution of state-changing operations.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skills restore commands overwrite skill directories but do not require an explicit confirmation step. Since skills may define agent behavior and contain operational logic, an accidental or ambiguous restore could replace active skill files across one or all targets and materially change system behavior.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The project restore commands overwrite project manifests and state files without requiring explicit user confirmation. Even though working content is excluded, restoring project configuration, tools, and state can disrupt active projects, reintroduce unsafe settings, or break integrations unexpectedly.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The document provides raw restore and restart commands that overwrite files at absolute paths and may restart critical services, but it does not prominently warn the operator that these steps are destructive and can replace current configuration or trigger downtime. In a recovery-focused skill this behavior is expected, but the lack of explicit confirmation, prerequisite verification, and rollback cautions increases the chance of accidental misuse during a stressful incident.

Missing User Warnings

Low

Confidence: 87% confidence
Finding: The watchdog disarm instructions kill matching processes and directly edit watchdog state on disk without an explicit warning that this disables automatic recovery protections. In an emergency-recovery document this may be operationally necessary, but omitting side-effect warnings can lead users to permanently disable safeguards or affect unrelated matching processes if the pkill pattern is too broad.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The reinstall section includes a destructive deletion command for the rollback directory. Although the text says to back up snapshots first and not delete silently, the step itself presents `rm -rf ~/.openclaw/rollback/` as a direct action without an inline warning or safer guardrails, creating a real risk of accidental data loss.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The snapshot routine recursively copies project files and subdirectories into a tarball, including potentially sensitive project-local configuration, tools, skills, and state files, but it provides no explicit warning, consent checkpoint, or visibility into exactly what will be archived. In a recovery/backup skill this behavior is expected, but the lack of disclosure increases the risk of unintentionally collecting secrets or private data from project directories and preserving them in rollback storage.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The sabotage subcommand intentionally modifies a live configuration file in a destructive way, but it performs the action immediately with no inline confirmation, dry-run guard, or explicit acknowledgment at the point of execution. In a recovery-testing skill, this is contextually expected behavior, but it is still dangerous because accidental invocation, automation mistakes, or misuse can poison credentials and break agent routing before the watchdog restores the file.

Missing User Warnings

High

Confidence: 89% confidence
Finding: This restore path performs an overwrite-capable extraction into the filesystem root with no interactive confirmation or safeguard in the utility itself. In the context of a backup/recovery manager, restores are expected, but silent destructive behavior increases the chance of accidental or induced broad overwrite of system and user files, especially if higher-level callers do not add their own prompts.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal