Back to skill

Security audit

OpenClaw Projects

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed OpenClaw project setup workflow that creates persistent coordination files and config changes only after a user-reviewed plan.

Install this only if you want persistent OpenClaw multi-agent project coordination. Before approving setup, review the generated plan, participating agents, task-manager project, repository URLs, and dependency skills; keep actual secrets out of project files, queue files, and shared memory.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger conditions are extremely broad and include vague coordination phrases, which can cause the skill to activate in contexts where the user did not intend filesystem changes, config edits, or project scaffolding. Because this skill performs high-impact administrative actions like writing under ~/.openclaw and modifying agent communication config, accidental invocation increases the risk of unwanted persistent state changes and misconfiguration.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.