Fletcher Cyber Security Engineer

Security checks across malware telemetry and agentic risk

Overview

This security skill is mostly coherent, but it asks for persistent, high-impact control over sudo and local monitoring with several under-scoped safeguards.

Install only if you deliberately want this skill to mediate privileged OpenClaw operations. Before running the runtime hook, review the sudo shim, configure a restrictive command-policy.json, protect ~/.openclaw and ~/.openclaw/security permissions, avoid OPENCLAW_VIOLATION_NOTIFY_CMD unless you fully trust the command, and keep a clear way to remove the LaunchAgent PATH change.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
Behavioral ASTexec() Call, eval() Call, Dynamic Import

Findings (27)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: # Best-effort: ensure sudo timestamp for this user is not reused implicitly. subprocess.run([sudo_bin, "-k"], check=False, capture_output=True, text=True) append_audit({"action": "exec_start", "argv": argv, "use_sudo": use_sudo}) result = subprocess.run(exec_argv) append_audit({"action": "exec_finish", "argv": argv, "use_sudo": use_sudo, "returncode": result.returncode}) return result.returncode
Confidence: 91% confidence
Finding: result = subprocess.run(exec_argv)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: print(json.dumps(exec_argv, indent=2)) if use_sudo and sudo_kill_cache: # Best-effort: ensure sudo timestamp for this user is not reused implicitly. subprocess.run([sudo_bin, "-k"], check=False, capture_output=True, text=True) append_audit({"action": "exec_start", "argv": argv, "use_sudo": use_sudo}) result = subprocess.run(exec_argv) append_audit({"action": "exec_finish", "argv": argv, "use_sudo": use_sudo, "returncode": result.returncode})
Confidence: 95% confidence
Finding: subprocess.run([sudo_bin, "-k"], check=False, capture_output=True, text=True)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: append_audit({"action": "drop_elevation", "argv": argv, "reason": "post-command"}) if args.use_sudo and args.sudo_kill_cache: sudo_bin = os.environ.get("OPENCLAW_REAL_SUDO", "sudo") subprocess.run([sudo_bin, "-k"], check=False, capture_output=True, text=True) if __name__ == "__main__":
Confidence: 95% confidence
Finding: subprocess.run([sudo_bin, "-k"], check=False, capture_output=True, text=True)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: # Best-effort: never crash the cycle due to a notifier. try: p = subprocess.run(cmd, shell=True, input=message, text=True) return int(p.returncode) except Exception: return 1
Confidence: 98% confidence
Finding: p = subprocess.run(cmd, shell=True, input=message, text=True)

Tainted flow: 'exec_argv' from os.environ.get (line 47, credential/environment) → subprocess.run (code execution)

Medium

Category: Data Flow
Content: # Best-effort: ensure sudo timestamp for this user is not reused implicitly. subprocess.run([sudo_bin, "-k"], check=False, capture_output=True, text=True) append_audit({"action": "exec_start", "argv": argv, "use_sudo": use_sudo}) result = subprocess.run(exec_argv) append_audit({"action": "exec_finish", "argv": argv, "use_sudo": use_sudo, "returncode": result.returncode}) return result.returncode
Confidence: 98% confidence
Finding: result = subprocess.run(exec_argv)

Tainted flow: 'sudo_bin' from os.environ.get (line 46, credential/environment) → subprocess.run (code execution)

Medium

Category: Data Flow
Content: print(json.dumps(exec_argv, indent=2)) if use_sudo and sudo_kill_cache: # Best-effort: ensure sudo timestamp for this user is not reused implicitly. subprocess.run([sudo_bin, "-k"], check=False, capture_output=True, text=True) append_audit({"action": "exec_start", "argv": argv, "use_sudo": use_sudo}) result = subprocess.run(exec_argv) append_audit({"action": "exec_finish", "argv": argv, "use_sudo": use_sudo, "returncode": result.returncode})
Confidence: 98% confidence
Finding: subprocess.run([sudo_bin, "-k"], check=False, capture_output=True, text=True)

Tainted flow: 'sudo_bin' from os.environ.get (line 211, credential/environment) → subprocess.run (code execution)

Medium

Category: Data Flow
Content: append_audit({"action": "drop_elevation", "argv": argv, "reason": "post-command"}) if args.use_sudo and args.sudo_kill_cache: sudo_bin = os.environ.get("OPENCLAW_REAL_SUDO", "sudo") subprocess.run([sudo_bin, "-k"], check=False, capture_output=True, text=True) if __name__ == "__main__":
Confidence: 98% confidence
Finding: subprocess.run([sudo_bin, "-k"], check=False, capture_output=True, text=True)

Tainted flow: 'cmd' from os.environ.get (line 101, credential/environment) → subprocess.run (code execution)

Medium

Category: Data Flow
Content: # Best-effort: never crash the cycle due to a notifier. try: p = subprocess.run(cmd, shell=True, input=message, text=True) return int(p.returncode) except Exception: return 1
Confidence: 99% confidence
Finding: p = subprocess.run(cmd, shell=True, input=message, text=True)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill describes and references scripts that can read environment variables, read and write files, and execute shell commands, but it does not declare any permissions. This creates a capability/permission mismatch that can undermine platform trust boundaries, because a caller or reviewer may assume the skill is less powerful than it actually is and authorize it inappropriately.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The notifier's stated role is to emit compliance-diff alerts, but it instead exposes a generic arbitrary shell execution hook. That broader capability materially increases the attack surface and makes misuse easier, especially in a security-engineering skill where operators may assume the script only sends notifications rather than launching unrestricted commands.

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The script automatically collects and persists port and egress monitoring data to disk on every run without any built-in notice, consent, retention control, or permission hardening. In a security-monitoring skill this behavior is expected, but the generated artifacts may expose sensitive network topology, listening services, and outbound destinations to other local users or to anyone who can read the assessment directory.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script creates a user-controlled sudo wrapper at ~/.openclaw/bin/sudo and then attempts to make the OpenClaw gateway prefer that path by rewriting its LaunchAgent PATH, all without an explicit confirmation or integrity check. This silently changes how privileged commands are resolved for the gateway process and can become a privilege-interception mechanism if the wrapper or its referenced skill directory is modified later.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: Executing the notification command via the shell without a clear user-facing warning or constrained interface is dangerous because callers may not realize they are enabling arbitrary shell semantics. This increases the likelihood of accidental insecure deployment, command injection through misconfiguration, or unsafe reuse in automation.

Sudo/Root Execution

Medium

Category: Privilege Escalation
Content: export OPENCLAW_REAL_SUDO="\${REAL_SUDO}" exec python3 "\${SKILL_DIR}/scripts/guarded_privileged_exec.py" \\ --reason "\${REASON}" \\ --use-sudo \\ -- "\$@" EOF chmod 755 "${WRAPPER}"
Confidence: 91% confidence
Finding: sudo

Sudo/Root Execution

Medium

Category: Privilege Escalation
Content: --use-sudo \\ -- "\$@" EOF chmod 755 "${WRAPPER}" log "Installed sudo shim: ${WRAPPER}"
Confidence: 88% confidence
Finding: chmod 755

Session Persistence

Medium

Category: Rogue Agent
Content: log "Installed sudo shim: ${WRAPPER}" if [[ "$(uname -s)" == "Darwin" ]]; then PLIST="${HOME}/Library/LaunchAgents/ai.openclaw.gateway.plist" if [[ -f "${PLIST}" ]] && command -v /usr/libexec/PlistBuddy >/dev/null 2>&1; then # Ensure EnvironmentVariables exists and prepend ~/.openclaw/bin to PATH. /usr/libexec/PlistBuddy -c "Add :EnvironmentVariables dict" "${PLIST}" 2>/dev/null || true
Confidence: 92% confidence
Finding: PLIST

Session Persistence

Medium

Category: Rogue Agent
Content: log "Installed sudo shim: ${WRAPPER}" if [[ "$(uname -s)" == "Darwin" ]]; then PLIST="${HOME}/Library/LaunchAgents/ai.openclaw.gateway.plist" if [[ -f "${PLIST}" ]] && command -v /usr/libexec/PlistBuddy >/dev/null 2>&1; then # Ensure EnvironmentVariables exists and prepend ~/.openclaw/bin to PATH. /usr/libexec/PlistBuddy -c "Add :EnvironmentVariables dict" "${PLIST}" 2>/dev/null || true
Confidence: 92% confidence
Finding: plist

Session Persistence

Medium

Category: Rogue Agent
Content: if [[ "$(uname -s)" == "Darwin" ]]; then PLIST="${HOME}/Library/LaunchAgents/ai.openclaw.gateway.plist" if [[ -f "${PLIST}" ]] && command -v /usr/libexec/PlistBuddy >/dev/null 2>&1; then # Ensure EnvironmentVariables exists and prepend ~/.openclaw/bin to PATH. /usr/libexec/PlistBuddy -c "Add :EnvironmentVariables dict" "${PLIST}" 2>/dev/null || true EXISTING_PATH="$(/usr/libexec/PlistBuddy -c "Print :EnvironmentVariables:PATH" "${PLIST}" 2>/dev/null || true)"
Confidence: 90% confidence
Finding: PLIST

Session Persistence

Medium

Category: Rogue Agent
Content: if [[ "$(uname -s)" == "Darwin" ]]; then PLIST="${HOME}/Library/LaunchAgents/ai.openclaw.gateway.plist" if [[ -f "${PLIST}" ]] && command -v /usr/libexec/PlistBuddy >/dev/null 2>&1; then # Ensure EnvironmentVariables exists and prepend ~/.openclaw/bin to PATH. /usr/libexec/PlistBuddy -c "Add :EnvironmentVariables dict" "${PLIST}" 2>/dev/null || true EXISTING_PATH="$(/usr/libexec/PlistBuddy -c "Print :EnvironmentVariables:PATH" "${PLIST}" 2>/dev/null || true)"
Confidence: 90% confidence
Finding: Plist

Session Persistence

Medium

Category: Rogue Agent
Content: PLIST="${HOME}/Library/LaunchAgents/ai.openclaw.gateway.plist" if [[ -f "${PLIST}" ]] && command -v /usr/libexec/PlistBuddy >/dev/null 2>&1; then # Ensure EnvironmentVariables exists and prepend ~/.openclaw/bin to PATH. /usr/libexec/PlistBuddy -c "Add :EnvironmentVariables dict" "${PLIST}" 2>/dev/null || true EXISTING_PATH="$(/usr/libexec/PlistBuddy -c "Print :EnvironmentVariables:PATH" "${PLIST}" 2>/dev/null || true)" if [[ -z "${EXISTING_PATH}" ]]; then NEW_PATH="${BIN_DIR}:/usr/bin:/bin:/usr/sbin:/sbin"
Confidence: 93% confidence
Finding: Plist

Session Persistence

Medium

Category: Rogue Agent
Content: PLIST="${HOME}/Library/LaunchAgents/ai.openclaw.gateway.plist" if [[ -f "${PLIST}" ]] && command -v /usr/libexec/PlistBuddy >/dev/null 2>&1; then # Ensure EnvironmentVariables exists and prepend ~/.openclaw/bin to PATH. /usr/libexec/PlistBuddy -c "Add :EnvironmentVariables dict" "${PLIST}" 2>/dev/null || true EXISTING_PATH="$(/usr/libexec/PlistBuddy -c "Print :EnvironmentVariables:PATH" "${PLIST}" 2>/dev/null || true)" if [[ -z "${EXISTING_PATH}" ]]; then NEW_PATH="${BIN_DIR}:/usr/bin:/bin:/usr/sbin:/sbin"
Confidence: 93% confidence
Finding: PLIST

Session Persistence

Medium

Category: Rogue Agent
Content: if [[ -f "${PLIST}" ]] && command -v /usr/libexec/PlistBuddy >/dev/null 2>&1; then # Ensure EnvironmentVariables exists and prepend ~/.openclaw/bin to PATH. /usr/libexec/PlistBuddy -c "Add :EnvironmentVariables dict" "${PLIST}" 2>/dev/null || true EXISTING_PATH="$(/usr/libexec/PlistBuddy -c "Print :EnvironmentVariables:PATH" "${PLIST}" 2>/dev/null || true)" if [[ -z "${EXISTING_PATH}" ]]; then NEW_PATH="${BIN_DIR}:/usr/bin:/bin:/usr/sbin:/sbin" /usr/libexec/PlistBuddy -c "Add :EnvironmentVariables:PATH string ${NEW_PATH}" "${PLIST}" 2>/dev/null || \
Confidence: 95% confidence
Finding: Plist

Session Persistence

Medium

Category: Rogue Agent
Content: if [[ -f "${PLIST}" ]] && command -v /usr/libexec/PlistBuddy >/dev/null 2>&1; then # Ensure EnvironmentVariables exists and prepend ~/.openclaw/bin to PATH. /usr/libexec/PlistBuddy -c "Add :EnvironmentVariables dict" "${PLIST}" 2>/dev/null || true EXISTING_PATH="$(/usr/libexec/PlistBuddy -c "Print :EnvironmentVariables:PATH" "${PLIST}" 2>/dev/null || true)" if [[ -z "${EXISTING_PATH}" ]]; then NEW_PATH="${BIN_DIR}:/usr/bin:/bin:/usr/sbin:/sbin" /usr/libexec/PlistBuddy -c "Add :EnvironmentVariables:PATH string ${NEW_PATH}" "${PLIST}" 2>/dev/null || \
Confidence: 95% confidence
Finding: PLIST

Session Persistence

Medium

Category: Rogue Agent
Content: EXISTING_PATH="$(/usr/libexec/PlistBuddy -c "Print :EnvironmentVariables:PATH" "${PLIST}" 2>/dev/null || true)" if [[ -z "${EXISTING_PATH}" ]]; then NEW_PATH="${BIN_DIR}:/usr/bin:/bin:/usr/sbin:/sbin" /usr/libexec/PlistBuddy -c "Add :EnvironmentVariables:PATH string ${NEW_PATH}" "${PLIST}" 2>/dev/null || \ /usr/libexec/PlistBuddy -c "Set :EnvironmentVariables:PATH ${NEW_PATH}" "${PLIST}" 2>/dev/null || true log "Updated gateway LaunchAgent PATH to include ${BIN_DIR}" else
Confidence: 95% confidence
Finding: Plist

Session Persistence

Medium

Category: Rogue Agent
Content: EXISTING_PATH="$(/usr/libexec/PlistBuddy -c "Print :EnvironmentVariables:PATH" "${PLIST}" 2>/dev/null || true)" if [[ -z "${EXISTING_PATH}" ]]; then NEW_PATH="${BIN_DIR}:/usr/bin:/bin:/usr/sbin:/sbin" /usr/libexec/PlistBuddy -c "Add :EnvironmentVariables:PATH string ${NEW_PATH}" "${PLIST}" 2>/dev/null || \ /usr/libexec/PlistBuddy -c "Set :EnvironmentVariables:PATH ${NEW_PATH}" "${PLIST}" 2>/dev/null || true log "Updated gateway LaunchAgent PATH to include ${BIN_DIR}" else
Confidence: 95% confidence
Finding: PLIST

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal