ClawHub

Cyber Security Engineer

Security checks across malware telemetry and agentic risk

Overview

This is a coherent security tool, but it changes how sudo is reached by OpenClaw and leaves several high-impact controls configurable by environment variables, so it needs review before installation.

Install only if you intentionally want OpenClaw to route sudo through this skill. Review the runtime hook first, keep policy files reviewed and restrictive, avoid OPENCLAW_SKIP_PLIST_CONFIRM and OPENCLAW_ALLOW_NONINTERACTIVE_SUDO, harden ~/.openclaw permissions, and treat generated port/egress baselines as sensitive local security data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Rogue AgentSelf-Modification, Session Persistence
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
Findings (11)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
append_audit({"action": "drop_elevation", "argv": argv, "reason": "post-command"})
        if args.use_sudo and args.sudo_kill_cache:
            sudo_bin = os.environ.get("OPENCLAW_REAL_SUDO", "/usr/bin/sudo")
            subprocess.run([sudo_bin, "-k"], check=False, capture_output=True, text=True)


if __name__ == "__main__":
Confidence
84% confidence
Finding
subprocess.run([sudo_bin, "-k"], check=False, capture_output=True, text=True)

Tainted flow: 'sudo_bin' from os.environ.get (line 280, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
append_audit({"action": "drop_elevation", "argv": argv, "reason": "post-command"})
        if args.use_sudo and args.sudo_kill_cache:
            sudo_bin = os.environ.get("OPENCLAW_REAL_SUDO", "/usr/bin/sudo")
            subprocess.run([sudo_bin, "-k"], check=False, capture_output=True, text=True)


if __name__ == "__main__":
Confidence
96% confidence
Finding
subprocess.run([sudo_bin, "-k"], check=False, capture_output=True, text=True)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill declares substantial capabilities (environment access, file reads/writes, shell execution) but does not declare permissions explicitly. That creates a governance gap where operators may underestimate what the skill can do, reducing review quality and increasing the chance that risky behavior is approved or executed without appropriate scrutiny.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
This is a true integrity issue in the compliance artifact: the control is marked compliant while the accompanying gap text explicitly states the least-privilege posture is not complete. Such contradictory reporting can mislead operators, auditors, or automated governance workflows into treating an unresolved privilege-hardening gap as closed, increasing the chance that elevated access paths remain insufficiently controlled.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script persists detailed local service metadata, including command names, users, and PIDs, into a baseline file under the user's home directory without explicit consent or minimization. In a security-engineering skill, this data can be operationally useful, but it also creates a local inventory of running services and identities that could aid post-compromise discovery or be exposed through weak file permissions, backups, or accidental sharing.

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
- `OPENCLAW_UNTRUSTED_SOURCE` — set to `1` to flag the current content source as untrusted
- `OPENCLAW_VIOLATION_NOTIFY_CMD` — absolute path to a notifier binary (must also be allowlisted)
- `OPENCLAW_VIOLATION_NOTIFY_ALLOWLIST` — JSON array of allowed argv arrays, or comma-separated absolute paths
- `OPENCLAW_REAL_SUDO` — override path to the real sudo binary (used by the runtime hook shim)
- `OPENCLAW_PYTHON3` — override path to python3 (used by the runtime hook shim)
- `OPENCLAW_CYBER_SKILL_DIR` — override path to the skill directory (used by the runtime hook shim)
- `OPENCLAW_ALLOW_NONINTERACTIVE_SUDO` — set to `1` to allow non-interactive sudo through the shim (default: blocked)
Confidence
90% confidence
Finding
sudo

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
- `OPENCLAW_REAL_SUDO` — override path to the real sudo binary (used by the runtime hook shim)
- `OPENCLAW_PYTHON3` — override path to python3 (used by the runtime hook shim)
- `OPENCLAW_CYBER_SKILL_DIR` — override path to the skill directory (used by the runtime hook shim)
- `OPENCLAW_ALLOW_NONINTERACTIVE_SUDO` — set to `1` to allow non-interactive sudo through the shim (default: blocked)
- `OPENCLAW_PRIV_REASON` — human-readable reason passed to the guarded execution wrapper
- `OPENCLAW_VIOLATION_NOTIFY_STATE` — override path to the notification state file
- `OPENCLAW_SKIP_PLIST_CONFIRM` — set to `1` to skip the interactive confirmation before modifying the macOS LaunchAgent plist
Confidence
86% confidence
Finding
sudo

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
## Runtime Hook (sudo shim)

The script `scripts/install-openclaw-runtime-hook.sh` installs an **opt-in** sudo
shim at `~/.openclaw/bin/sudo`. This shim **shadows** the system `sudo` binary by
prepending `~/.openclaw/bin` to `PATH` in the OpenClaw gateway process.
Confidence
88% confidence
Finding
sudo

Session Persistence

Medium
Category
Rogue Agent
Content
- `OPENCLAW_ALLOW_NONINTERACTIVE_SUDO` — set to `1` to allow non-interactive sudo through the shim (default: blocked)
- `OPENCLAW_PRIV_REASON` — human-readable reason passed to the guarded execution wrapper
- `OPENCLAW_VIOLATION_NOTIFY_STATE` — override path to the notification state file
- `OPENCLAW_SKIP_PLIST_CONFIRM` — set to `1` to skip the interactive confirmation before modifying the macOS LaunchAgent plist

**Policy files (admin reviewed):**
- `~/.openclaw/security/approved_ports.json`
Confidence
87% confidence
Finding
PLIST

Session Persistence

Medium
Category
Rogue Agent
Content
- `OPENCLAW_ALLOW_NONINTERACTIVE_SUDO` — set to `1` to allow non-interactive sudo through the shim (default: blocked)
- `OPENCLAW_PRIV_REASON` — human-readable reason passed to the guarded execution wrapper
- `OPENCLAW_VIOLATION_NOTIFY_STATE` — override path to the notification state file
- `OPENCLAW_SKIP_PLIST_CONFIRM` — set to `1` to skip the interactive confirmation before modifying the macOS LaunchAgent plist

**Policy files (admin reviewed):**
- `~/.openclaw/security/approved_ports.json`
Confidence
87% confidence
Finding
plist

Session Persistence

Medium
Category
Rogue Agent
Content
**Opt-in:** The hook is **not installed by default**. To enable it, run bootstrap with
`ENFORCE_PRIVILEGED_EXEC=1`. On macOS, the installer will prompt for confirmation
before modifying the gateway LaunchAgent plist. The shim can be removed at any time
by deleting `~/.openclaw/bin/sudo`.

## File Writes
Confidence
84% confidence
Finding
plist

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal