ClawHub

OpenClaw Config Safety v2

Security checks across malware telemetry and agentic risk

Overview

This config-safety skill is mostly purpose-aligned, but it needs Review because its export path can put real API keys into supposedly safe-to-share tokens and its validator may run a mutating repair command outside the candidate file.

Review or patch the export and validation paths before installing. Do not share mrconf tokens produced from configs that may contain literal API keys until export redaction is enforced, and avoid the validator unless doctor --fix is removed or fully isolated to the candidate file. Back up openclaw.json and prefer interactive imports with visible diffs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (7)

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The spec claims 'Import validates before substitution,' but the documented flow performs only shallow token/schema checks before resolving and substituting secret values, and runs the final Zod validation afterward. This mismatch is dangerous because implementers may rely on the security claim and overlook validation of the post-substitution structure, allowing malformed or attacker-controlled token content to influence credential resolution and config assembly before the config is proven safe.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The spec explicitly says normalization errors must never include field values, but the example error message includes the raw invalid value ('abc'). In a config normalizer, this contradiction can lead implementers to leak secrets or sensitive config contents into logs, exceptions, telemetry, or user-visible errors when failures occur.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The number-coercion rules say non-numeric strings should be left as-is, but the later example shows throwing on an invalid numeric string. This inconsistency can cause different implementations to either pass through bad input or fail loudly, creating validation bypasses, denial of service, or accidental data exposure through divergent error handling.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The script is presented as a pre-write validator, but in Check 6 it runs `openclaw doctor --fix --non-interactive`, which is a mutating repair command rather than a read-only validation. Because the command is executed without isolating its working/config context to the temporary candidate copy, it may modify real user or project state, making validation have unintended side effects and violating caller expectations.

Intent-Code Divergence

High
Confidence
93% confidence
Finding
The module-level security comment states that resolved credential values are never logged or exposed, but the implementation calls substituteRefs(payload.config, credMap) and returns the resulting config object. That means imported secrets are materialized into the returned structure and can be exposed downstream by callers, logs, error handling, or serialization based on a false security assumption.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Automatically truncating very long strings changes user-supplied configuration data before validation and may silently alter paths, URLs, identifiers, or opaque values. Even with a warning, this can create security-relevant misconfiguration, unexpected behavior, and hard-to-diagnose failures, especially because the spec otherwise emphasizes failing loudly rather than making judgment calls.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The non-interactive `--import <token>` flow is described as replacing the current config without an explicit confirmation or force/acknowledgment safeguard. In scripted or piped environments, this can lead to accidental destructive overwrite or unsafe automated imports, especially if a token source is wrong or attacker-controlled.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal