ClawHub
Back to skill

Security audit

Evez Cheat Codes

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only skill, but it highlights powerful OpenClaw settings that can weaken security or expose private data if used carelessly.

Install only if you want an OpenClaw power-user reference and are comfortable reviewing security-sensitive settings manually. Do not enable raw stream logging, live signed-in browser control, disabled auth/signature checks, elevated execution, Docker host binds, or HTTP tool allow-list changes unless you understand the impact and can keep them scoped to a test or controlled environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill prominently documents debug and raw-stream logging modes, including options that log prompt text and raw assistant streams, but presents them as 'cheat codes' without a clear warning about sensitive data exposure. In an agent/operator context, enabling these settings can capture prompts, responses, tokens, and possibly secrets or personal data into logs or files that may be retained or exfiltrated later.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill describes browser automation against the user's signed-in Chrome profile as a useful 'secret' without an explicit privacy or integrity warning. Controlling a live user browser session can access authenticated content, perform actions as the user, and expose session data, making this especially dangerous in an agent skill context.

Ssd 2

Medium
Confidence
97% confidence
Finding
The package description explicitly advertises 'Hidden features, env vars, debug flags, and power-user tricks,' which signals an intent to expose undocumented capabilities and potentially sensitive environment-based secrets. In the context of an agent skill, this is dangerous because it suggests the package may encourage discovery or misuse of privileged functionality and confidential configuration data.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal