Back to skill

Security audit

OpenClaw Guardian

Security checks across malware telemetry and agentic risk

Overview

This is a defensive safety plugin, but it reads local session history and can send recent conversation content plus flagged tool details to an LLM provider without tight session scoping or clear disclosure.

Review before installing, especially on shared systems or environments with secrets in chats. Use it only if you are comfortable with it reading OpenClaw session files and sending selected user-message context plus flagged command/path details to your configured LLM provider. Prefer a version that binds context to the active session, redacts or minimizes prompt data, clearly documents provider data flow, and fixes the package path/tsconfig inconsistencies.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill advertises significant capabilities including environment access, network use, and shell interaction, but does not declare permissions. This undermines informed consent and security review because operators cannot accurately assess what the plugin can access or transmit before installation.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The described behavior omits that the plugin reads local session transcript files, ignores the provided sessionKey, and sends recent conversation content to an external LLM. That creates a material privacy and integrity risk because it can inspect the wrong session and exfiltrate user data outside the documented trust boundary.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The README makes conflicting security claims: the metadata states critical operations require 3/3 unanimous LLM votes, while the body later says Full Vote uses 3 guardians with a 2-of-3 majority and even documents that policy as configurable. Security-sensitive documentation mismatches can cause operators to deploy the plugin under a false assumption about enforcement strength, reducing real-world protections for dangerous tool calls.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The audit entry omits the actual tool parameters even though `writeAuditEntry` receives them, so the log cannot reliably capture what dangerous command, path, or payload was attempted. In a security-layer plugin whose value depends on detecting and investigating bypasses, pipe attacks, and risky writes/execs, this creates an accountability gap: an attacker or faulty agent can trigger a flagged operation while the audit trail records only metadata, making forensic review and policy verification much weaker.

Intent-Code Divergence

Low
Confidence
89% confidence
Finding
The code restores `lastHash` by trusting the last line of the existing file and never verifies that earlier entries form a valid hash chain. That means a local attacker or compromised process can delete, rewrite, or truncate historical records and then continue appending new entries from the forged tip, undermining the claimed append-only integrity guarantees.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
readRecentContext ignores the provided sessionKey and instead loads the most recently modified session file on disk. In a multi-session or multi-user environment, this can cause the voter to evaluate one user's dangerous tool call using another session's messages, leading to incorrect authorization decisions and cross-session data exposure.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The public APIs singleVote and multiVote accept a sessionKey parameter, but the implementation disregards it and reads whichever session file was modified most recently. This creates a confused-deputy condition where explicit intent can be inferred from the wrong conversation, potentially approving destructive operations that the actual user never requested.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The LLM verification section says recent conversation context is read, but the description does not clearly warn users that this context may be transmitted to a third-party model provider. This is a privacy-sensitive data flow that should be disclosed because prompts may contain secrets, personal data, or proprietary information.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README presents audit logging as a feature but does not clearly warn that all tool-call decisions and associated metadata are written to a local JSONL file, which may include sensitive filenames, command arguments, policy decisions, and potentially secret-adjacent context. In a security plugin, silent or under-disclosed retention of operational data increases privacy and credential-exposure risk, especially on shared systems or insecure home directories.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code forwards recent user messages to an external model provider for every flagged operation, using whatever provider/API key is configured. Without explicit notice, consent, minimization, or local-only safeguards in this path, sensitive user content may be disclosed to third-party services during security checks.

Ssd 3

Medium
Confidence
95% confidence
Finding
Recent user messages are automatically extracted from local session logs and sent to an external LLM in plain text. Because the code selects the latest session file rather than a bound session and includes free-form user content, it increases the chance of leaking private or unrelated conversation data to the provider.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.dynamic_code_execution, suspicious.env_credential_access

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/blacklist.ts:104

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
scripts/blacklist.ts:104

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/llm-voter.ts:146