ClawHub

openclaw-stable-running

Security checks across malware telemetry and agentic risk

Overview

This is a coherent operations skill for keeping OpenClaw running, but it includes under-disclosed host-level network failover and unattended persistence that users should review before installing.

Install only if you want OpenClaw to run unattended after logout and reboot. Review every command before running it, protect /home/openclaw/.openclaw/.env and /home/openclaw/data, and avoid running scripts/network_monitor.sh unless you deliberately want host-level network failover and have added safeguards such as dry-run testing, interface validation, rollback, and administrator approval.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill contains actionable shell commands and system-management procedures, but no declared permissions or capability metadata to signal that it manipulates services, cron, logs, and the host environment. In an agent ecosystem, this gap is dangerous because users or orchestrators may treat it as low-risk documentation while it effectively enables privileged host changes and persistence-related operations.

Tp4

High
Category
MCP Tool Poisoning
Confidence
80% confidence
Finding
The documented purpose is operational stability, but the file also references network monitoring/failover behavior and external heartbeat reporting that can alter routing or send status data off-host. Undeclared networking and telemetry behavior increases risk because operators may not realize the skill can affect network configuration or leak operational metadata to third parties.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document recommends persisting task progress and heartbeat state to local JSON files and Redis without any warning about sensitive data exposure, file permissions, retention, or access control. In an unattended long-running agent context, progress state can contain task identifiers, failed item details, timestamps, and operational metadata that may leak sensitive workflow information or be tampered with to influence task execution.

Credential Access

High
Category
Privilege Escalation
Content
MemoryMax=2G
TasksMax=4096
Environment="NODE_ENV=production"
EnvironmentFile=/home/openclaw/.openclaw/.env
StandardOutput=journal
StandardError=journal
SyslogIdentifier=openclaw
Confidence
70% confidence
Finding
.env

Session Persistence

Medium
Category
Rogue Agent
Content
每 5 分钟检查一次 Gateway 是否存活,见 `scripts/healthcheck.sh`:

```bash
# crontab -e
*/5 * * * * /home/openclaw/scripts/healthcheck.sh
```
Confidence
78% confidence
Finding
crontab -e

Session Persistence

Medium
Category
Rogue Agent
Content
**启用服务:**
```bash
sudo systemctl daemon-reload
sudo systemctl enable openclaw
sudo systemctl start openclaw
sudo systemctl status openclaw
journalctl -u openclaw -f
Confidence
86% confidence
Finding
systemctl enable

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal