ClawHub

OpenClaw Guide Maintenance

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only OpenClaw operations guide, but it normalizes several high-impact admin, automation, browser, and third-party data-flow actions without enough inline safeguards.

Install only if you administer OpenClaw and want a broad operations reference available to your agent. Treat its examples as privileged admin guidance: verify installer scripts before running them, keep the gateway loopback or tailnet-only with strong auth, avoid approve-all/elevated full except in controlled break-glass cases, and disable or explicitly scope Firecrawl, cloud transcription, cloud embeddings, broad memory indexing, heartbeat delivery to last contact, and standing orders for sensitive deployments.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (42)

Description-Behavior Mismatch

High
Confidence
93% confidence
Finding
This file documents a full-power browser automation surface, including navigation, tab control, screenshots, cookies, storage, downloads, and remote CDP attachment, which materially exceeds a narrowly scoped setup/troubleshooting skill. In a support skill context, exposing generalized browsing capability creates a privilege expansion path where the agent can be steered into unrelated web interaction or sensitive session access.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The documented support for `browser evaluate`, `act kind=evaluate`, and `wait --fn` enables arbitrary JavaScript execution in browser context, which can read page data, manipulate authenticated sessions, and perform actions beyond troubleshooting needs. In an OpenClaw support skill, this is especially dangerous because the profile may contain logged-in sessions and the capability is not justified by the stated purpose.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The documentation explicitly promotes Firecrawl as an anti-bot fallback and recommends 'stealth' mode to bypass protections. In an installation/operations skill, this extends beyond neutral admin guidance into facilitating evasion behavior, which can lead users to access sites in ways that violate terms of service or trigger legal, abuse, or account-blocking consequences.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The file explicitly documents running remote `.prose` programs fetched from an external URL and notes use of `web_fetch` and `exec` tools. In a security-sensitive agent environment, encouraging execution of remotely retrieved workflow definitions materially increases the risk of supply-chain abuse, prompt injection, or unintended tool invocation if the remote content is malicious or compromised.

Description-Behavior Mismatch

High
Confidence
93% confidence
Finding
The file documents general-purpose `web_search` and `web_fetch` capabilities, including provider selection, direct page retrieval, and third-party fallback behavior, which extends beyond the declared scope of an OpenClaw installation/operations support skill. Expanding a skill's documented capability surface can normalize or enable network actions that users and downstream systems would not expect from an admin-focused guide, increasing the risk of unauthorized data access or exfiltration via external services.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The markdown presents broad web-search and web-fetch usage as normal functionality without tying it to the stated purpose of helping with local OpenClaw setup, maintenance, and troubleshooting. This scope drift is dangerous because it can cause the agent to invoke external network capabilities for unrelated tasks, weakening least-privilege expectations and broadening opportunities for misuse.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
This section presents security-impacting and state-changing commands such as auto-fix, update, cleanup, binding changes, and message sending as routine quick-reference actions without inline cautions or confirmation guidance. In an agent-consumed skill, that increases the chance an automated system proposes or executes impactful commands without adequately warning the user about side effects.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation presents `approve-all` and related non-interactive permission settings as normal configuration options without a prominent warning that they can allow an external ACP runtime to execute sensitive actions without human review. In the context of a self-hosted agent gateway that can spawn external agent runtimes and operate on local repositories and connected systems, this materially increases the risk of unauthorized file writes, command execution, or data exposure if misconfigured.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The 'Standing Orders' section explicitly grants agents permanent operating authority, but it does not prominently warn that persistent autonomous execution can affect user data, external systems, or communications without per-action review. In a self-hosted multi-channel agent gateway, this is materially risky because the surrounding platform can trigger actions across channels and hooks over time.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The examples embed tokens, API keys, and basic-auth credentials directly in URLs, which risks secret leakage through logs, shell history, config files, browser history, referrers, and error messages. Even though placeholders are shown, normalizing this pattern in docs encourages insecure operational practice for powerful remote browser endpoints.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation shows realistic secret-bearing fields such as Telegram bot tokens, Slack app/bot tokens, and SOCKS5 proxy credentials directly in configuration examples without an explicit warning to treat them as secrets. Even though the sample values are placeholders, users frequently copy documentation into configs, shell history, screenshots, tickets, or repositories, which can lead to credential exposure and account compromise.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill tells users to configure a third-party service and describes automatic fallback of web content retrieval to Firecrawl, but it omits any warning that requested URLs and possibly retrieved content may be transmitted to an external provider. This creates a privacy and data-governance risk, especially in a self-hosted gateway context where users may assume traffic stays local unless clearly disclosed.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation explicitly exposes an `/elevated full` mode that runs commands on the gateway host while skipping execution approvals, but it does not pair that capability with a clear warning about the security consequences. In the context of a self-hosted AI agent gateway, this materially increases the chance that operators enable a highly dangerous mode without understanding that it removes an important safeguard against unintended or malicious host command execution.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation explicitly recommends `openclaw gateway --tailscale funnel`, which makes the gateway internet-accessible, but does not pair that with a clear warning about expanded attack surface, strong-auth requirements, or when this mode should be avoided. In an operations guide for a self-hosted AI gateway that exposes messaging, admin, and agent interfaces on one multiplexed port, this omission can lead operators to unintentionally publish sensitive control surfaces.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The guide includes a `curl ... | bash` installer command without warning that it executes remote code directly from the network. If the hosting domain, transport, CDN, or distribution path is compromised, users may immediately run attacker-controlled code with their local account privileges.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation explicitly states that the agent can update HEARTBEAT.md itself if the workspace is writable, but it does not clearly warn users that enabling heartbeat may allow unattended background writes to local files. In a self-hosted agent gateway, autonomous workspace modification can change task state, overwrite notes, or create confusing side effects without explicit operator awareness.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The quick-start guidance recommends setting target to "last" so heartbeat replies are sent to the last external contact, which enables unattended outbound messaging from a background process. Without a strong user-facing warning, operators may accidentally configure automatic messages to customers or personal contacts, causing privacy leaks, spam-like behavior, or disclosure of internal agent reasoning/results.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The installation instructions tell users to pipe a remotely fetched shell script and PowerShell payload directly into an interpreter without any integrity verification, review step, or warning. This creates a real supply-chain execution risk: if the hosting domain, CDN, TLS trust chain, or script endpoint is compromised, users will immediately execute attacker-controlled code on their machines.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The migration guidance instructs users to copy the full ~/.openclaw directory, explicitly including sessions, but does not warn that this may contain authentication material, tokens, secrets, logs, or other sensitive state. That omission can lead to insecure transfer, overbroad backups, or accidental disclosure of channel credentials during migration.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation states that incoming images and documents are downloaded and attached to the agent prompt, but does not warn that private user content may be automatically transferred into model context and potentially exposed to downstream providers, logs, or retention systems. In a self-hosted multi-channel agent gateway, this can lead to unanticipated disclosure of sensitive media contents, especially for operators who assume attachments stay local or are processed only on-device.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The audio transcription section lists automatic provider selection and external APIs such as OpenAI, Groq, Deepgram, and Google, but does not clearly warn that voice notes may be transmitted off-host to third-party services. Because this feature performs auto-detection and may fall back across multiple providers, operators may unknowingly send sensitive audio, transcripts, or metadata to external vendors, creating privacy, compliance, and data residency risks.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documented automatic memory flush can persist user/session-derived content to disk silently, explicitly noting that nothing is delivered to chat. That creates a real privacy and consent risk because users may not realize durable notes are being written, and sensitive data shared in-session could be retained beyond the immediate conversation.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The file documents auto-selection of cloud embedding providers and key resolution paths, but does not clearly warn that memory content may be transmitted off-device to third-party services for embedding. In a memory system handling potentially sensitive notes, that omission can lead to unintended external disclosure and privacy/compliance issues.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The extraPaths feature allows recursive indexing of arbitrary absolute or relative Markdown paths, including shared locations outside the workspace, without warning about expanded data scope. This can unintentionally ingest sensitive documents into searchable memory and, if paired with remote embeddings, further propagate that content to external providers.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The documentation explicitly reveals filesystem locations where API keys and OAuth access/refresh tokens are stored, but it does not warn that these files are highly sensitive or recommend protecting them with strict permissions, encryption, backups hygiene, and log avoidance. In a self-hosted gateway context, operators may copy, back up, or expose these paths during troubleshooting, increasing the chance of credential theft and downstream account compromise.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal