Back to skill

Security audit

Claw Reliability

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed local observability tool that reads OpenClaw session data, stores metrics locally, and only sends alerts externally when the user configures a webhook.

Install only if you are comfortable with the skill reading OpenClaw session transcripts and storing summarized metrics locally. If you enable Discord alerts, use a dedicated trusted webhook, keep config.yaml out of source control and shared workspaces, and rotate the webhook if it may have been exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill advertises behaviors that read local transcripts/events, write to a SQLite database, and optionally send alerts to external destinations via webhook URLs, but it does not declare explicit permissions for file access or network use. This creates a transparency and policy-enforcement gap: an agent or reviewer may treat the skill as low-privilege even though it can access local data and exfiltrate telemetry if alerting is configured.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The monitoring CLI includes a configuration-writing capability that persists new alert destinations to disk, which expands behavior from passive observability into state-changing configuration management. In a security-sensitive agent environment, unexpected on-disk modification can be abused to alter future data egress paths or silently change operational behavior, especially if this command is exposed through automation.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The code accepts an arbitrary Discord webhook URL from external input and stores it for later use, enabling outbound delivery to attacker-controlled endpoints if misused. Because alert payloads may include operational metadata such as session IDs, agent IDs, tool failures, or anomaly details, this creates a plausible exfiltration channel not strongly bounded by the stated purpose.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The Discord webhook URL is written directly into config.yaml without warning the user that a credential-like secret will be stored on disk, potentially in plaintext. This increases the chance of credential leakage through file permissions issues, backups, source control mistakes, or later disclosure of configuration files.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The monitor can forward alerts to Discord, but the CLI code provides no visible disclosure or consent mechanism indicating that monitoring-derived metadata may leave the local environment. In an agent observability tool, alerts commonly include contextual details that can reveal internal operations, making undisclosed external transmission a meaningful privacy and security risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The CLI stores a Discord webhook URL directly into config.yaml on disk, and a webhook URL functions as a secret because anyone who obtains it can send messages to the associated channel. In an observability/alerting skill this is more dangerous than usual because operators are likely to configure real production alert destinations, and the code provides no warning, masking, permission hardening, or recommendation to use a secret store.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The parser automatically reads transcript files from the user's ~/.openclaw state directory, which can contain sensitive session content, tool outputs, prompts, and metadata. Even though this appears aligned with the skill's observability purpose, accessing local agent transcripts without clear disclosure, consent, or scope controls creates a privacy risk and may expose sensitive data to dashboards, logs, or downstream alerting components.

Unpinned Dependencies

Low
Category
Supply Chain
Content
fastapi>=0.104.0
uvicorn>=0.24.0
pyyaml>=6.0
Confidence
97% confidence
Finding
fastapi>=0.104.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
fastapi>=0.104.0
uvicorn>=0.24.0
pyyaml>=6.0
Confidence
97% confidence
Finding
uvicorn>=0.24.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
fastapi>=0.104.0
uvicorn>=0.24.0
pyyaml>=6.0
Confidence
98% confidence
Finding
pyyaml>=6.0

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.