Openclaw Genie

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only OpenClaw reference skill with some risky setup examples users should review before copying.

Safe to install as a reference skill. Before following its OpenClaw setup commands, prefer pinned or verifiable installs, review remote scripts before running them, avoid unnecessary daemon or system-wide installation, grant only the channel and tool scopes you need, and be careful with memory indexing, browser profiles, broadcasts, and PDFs sent to remote model providers.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (11)

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The README states that the skill triggers automatically for essentially any OpenClaw-related topic, which is a very broad activation scope. In agent ecosystems, overbroad auto-triggering can cause the skill to activate during ordinary conversation, increasing prompt-surface exposure and the chance that its instructions override or interfere with more appropriate skills or baseline behavior.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The quick-start section recommends executing a remote install script directly via the shell without any integrity verification, review step, or warning about the risk. This creates a real supply-chain and remote-code-execution hazard because anyone following the documentation grants immediate execution to whatever the remote endpoint serves at that moment.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The documentation instructs users to fetch and immediately execute a remote script via a shell pipe, without any integrity verification, signature check, pinning, or warning about the trust boundary. If the hosting domain, transport path, or script is compromised, users will execute attacker-controlled code on their machine with their current privileges.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: This 'git' installation path still relies on piping a remote script directly into bash before building locally, so it has the same supply-chain risk as the one-liner installer. The later local build step does not mitigate the initial arbitrary code execution risk from the downloaded installer.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The documented auto memory flush performs a silent agentic turn that persists user and session context to disk without any user-facing notice at the time of capture. Even if intended as a usability feature, silent persistence of potentially sensitive context creates a privacy and consent risk, especially because the data becomes durable memory and may later be retrieved or indexed.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The session memory feature documents indexing full session transcripts alongside memory files but does not mention consent, retention limits, or sensitivity filtering. Transcript indexing can capture secrets, personal data, and security-relevant exchanges, increasing the risk of unintended retention and later disclosure through search or retrieval features.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The broadcast feature explicitly allows the same incoming message to be delivered to multiple agents, but the documentation does not clearly warn that message contents, attachments, and conversational context will be replicated to every listed agent. In a multi-agent system where agents may have different tools, memories, workspaces, or operators, this can cause unintended disclosure of sensitive user data and increase the privacy and access-control risk surface.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The documentation states that in native mode the PDF tool sends raw PDF bytes directly to external model providers, but it does not give a prominent privacy/security warning about potential disclosure of sensitive document contents. This can lead users or integrators to unknowingly transmit confidential PDFs to third parties, especially in an agent environment where tool usage may be automated or implicit.

External Script Fetching

High

Category: Supply Chain
Content: ### One-Liner (macOS/Linux) ```bash curl -fsSL https://openclaw.ai/install.sh | bash ``` ### npm (all platforms, requires Node 22+)
Confidence: 99% confidence
Finding: curl -fsSL https://openclaw.ai/install.sh | bash

External Script Fetching

High

Category: Supply Chain
Content: ### Git (hackable) ```bash curl -fsSL https://openclaw.ai/install.sh | bash -s -- --install-method git cd openclaw && pnpm install && pnpm run build ```
Confidence: 99% confidence
Finding: curl -fsSL https://openclaw.ai/install.sh | bash

Chaining Abuse

High

Category: Tool Misuse
Content: ### One-Liner (macOS/Linux) ```bash curl -fsSL https://openclaw.ai/install.sh | bash ``` ### npm (all platforms, requires Node 22+)
Confidence: 97% confidence
Finding: | bash

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal