Security audit

OpenClaw Emergency Rollback

Security checks across malware telemetry and agentic risk

Overview

This is a local rollback tool with a coherent purpose, but it can persistently overwrite OpenClaw configuration and restart services automatically, so it needs review before installation.

Install only if you intentionally want a local emergency rollback system that can persist across restarts, overwrite OpenClaw configuration, and restart the gateway. Before using it, verify rollback-config.json contains the correct restart command, restrict permissions on ~/.openclaw/rollback, inspect snapshot contents before restoring, and run the destructive test only with terminal access and a manual recovery copy ready.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (10)

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The setup tells the operator to supply a restart command, but the generated configuration later hardcodes `kill -USR1 1` and even states it is fixed for the environment. This creates a misleading and potentially unsafe setup path: operators may believe a validated custom restart command is stored when a different command is actually persisted, causing failed recovery or unintended signaling of PID 1.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The script executes config.restartCommand via execSync with a shell, which allows arbitrary shell execution if that configuration is modified by an attacker or by an unsafe workflow. In this skill’s context, rollback is intended to run automatically and without user intervention, so a poisoned restartCommand would execute during a privileged recovery path, making the behavior more dangerous than a normal admin-only helper script.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The trigger text is very broad, including phrases like 'any variation' around config safety, recovery, rollback, and testing. That increases the chance the skill activates in situations the user did not intend, which is risky here because the skill can initiate destructive actions, persist state, and restart services.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The restore procedure uses `unzip -o ... -d /`, which force-overwrites files at absolute paths without any confirmation or explicit warning that existing configuration and workspace files will be replaced. In a recovery context this may be intended, but it is still dangerous because a user can easily restore the wrong snapshot and irreversibly clobber current state or unrelated files captured in the archive.

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The restart examples include disruptive operations such as signaling PID 1, restarting systemd services, and cycling Docker Compose stacks, but the document does not explicitly warn that these actions can interrupt running services or affect more than OpenClaw depending on environment. In an emergency rollback skill this context makes restarts expected, but the lack of cautionary framing increases the chance of accidental outage or misuse under stress.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The reinstall flow includes `rm -rf ~/.openclaw/rollback/` with only a general prior note about backing up snapshots, but no immediate high-visibility warning at the destructive step. In operational settings, destructive commands embedded in setup docs are dangerous because they are often copied verbatim, and path expansion or environment mistakes can cause loss of rollback state and related data.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The document recommends a 'destructive test' of the recovery pipeline without presenting a clear warning at that point about service interruption, configuration rollback, or possible loss of in-progress changes. Encouraging destructive operations without immediate impact disclosure increases the chance that users trigger outages unintentionally.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The sabotage subcommand overwrites the live openclaw.json with destructive test values immediately and without any confirmation, dry-run, environment guard, or interlock. In a rollback skill whose purpose is to manipulate production configuration, this increases the chance of accidental service disruption, credential breakage, or misrouting if the command is run on the wrong system or before recovery is properly armed.

Session Persistence

Medium

Category: Rogue Agent
Content: OpenClaw Emergency Config Rollback — dead man's switch system for safely making risky changes to OpenClaw configuration. Use this skill whenever the user mentions wanting to make changes to openclaw.json or agent configs and wants a safety net, says anything like "set emergency recovery", "create a snapshot", "take a backup before changes", "set a backout timer", "restore snapshot", "accept changes", "test emergency recovery", "run recovery test", "how does the rollback work", "what rollback commands", or any variation of wanting to safely change OpenClaw
Confidence: 88% confidence
Finding: create a snapshot", "take a backup before changes", "set a backout timer", "restore snapshot", "accept changes", "test emergency recovery", "run recovery test", "how does the rollback work", "wh

Session Persistence

Medium

Category: Rogue Agent
Content: ### "restore snapshot [1|2|3]" Manually restore a specific snapshot immediately. 1. Confirm with user: "This will overwrite your current OpenClaw config with snapshot [N] '<label>' from <timestamp> and restart the gateway. Are you sure?" 2. On confirmation: run `~/.openclaw/rollback/scripts/restore.mjs <slot>` 3. Gateway restarts. Next session will detect uptime < 90 seconds.
Confidence: 90% confidence
Finding: write your current OpenClaw config with snapshot [N] '<label>' from <timestamp> and restart the gateway. Are you sure?" 2. On confirmation: run `~/.openclaw/rollback/scripts/restore.mjs <slot>` 3.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.destructive_delete_command

Shell command execution detected (child_process).

Critical

Code: suspicious.dangerous_exec
Location: hooks/watchdog-recovery/handler.ts:55

Shell command execution detected (child_process).

Critical

Code: suspicious.dangerous_exec
Location: scripts/recovery-test.mjs:39

Shell command execution detected (child_process).

Critical

Code: suspicious.dangerous_exec
Location: scripts/restore-if-armed.mjs:34

Shell command execution detected (child_process).

Critical

Code: suspicious.dangerous_exec
Location: scripts/restore.mjs:50

Shell command execution detected (child_process).

Critical

Code: suspicious.dangerous_exec
Location: scripts/snapshot.mjs:81

Shell command execution detected (child_process).

Critical

Code: suspicious.dangerous_exec
Location: scripts/watchdog-clear.mjs:32

Shell command execution detected (child_process).

Critical

Code: suspicious.dangerous_exec
Location: scripts/watchdog-set.mjs:46

Shell command execution detected (child_process).

Critical

Code: suspicious.dangerous_exec
Location: scripts/watchdog-timer.mjs:38

Documentation contains a destructive delete command without an explicit confirmation gate.

Warn

Code: suspicious.destructive_delete_command
Location: references/SETUP.md:204