Back to skill

Security audit

OpenClaw Minecraft

Security checks across malware telemetry and agentic risk

Overview

This Minecraft bot skill is not clearly malicious, but it asks to replace workspace cron instructions and run persistent autonomous bot actions through an external controller.

Install only if you intentionally want persistent Minecraft bot autonomy. Do not blindly replace an existing CRON_PROMPT.md; merge or namespace the cron instructions, verify the controller endpoint is yours or trusted, use scoped revocable tokens, and add clear start, stop, log cleanup, and server-safety limits before enabling the 30-second loop.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The prompt explicitly instructs the agent to load an access token from local memory and use it for all API requests. While authentication is expected for bot control, embedding secret retrieval and unconditional token use inside a cron skill increases the skill's authority and creates unnecessary secret-handling behavior without any scope restriction, disclosure, or validation of destination trust.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill instructs the agent to overwrite the workspace root CRON_PROMPT.md unconditionally, which expands the skill's behavior from Minecraft API control into local file modification. This can alter global agent behavior, persist instructions across runs, and potentially replace existing trusted cron guidance with skill-supplied automation logic unrelated to the user's immediate request.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs the agent to read a sensitive access token from local auth storage and attach it to every request, but provides no user-facing warning or consent language about secret access. In an adversarial prompt setting, this is dangerous because the skill can normalize secret consumption and could be repointed or modified to misuse credentials against unintended endpoints.

Missing User Warnings

Low
Confidence
78% confidence
Finding
The prompt directs the agent to persist decision logs with timestamps into local memory, but does not disclose that bot activity data will be stored. Even if the contents seem operational, accumulated logs can reveal behavior patterns, targets, server activity, and other contextual data that may be sensitive over time.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Telling users or agents to overwrite CRON_PROMPT.md without a clear warning creates a prompt-injection and unsafe-persistence risk because it replaces an existing control file that may govern recurring autonomous behavior. In this context, the danger is heightened because the overwrite is framed as mandatory and tied to a cron job running every 30 seconds, making the change durable and repeatedly executed.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.