Security audit

OpenClaw Add Agent

Security checks across malware telemetry and agentic risk

Overview

This instruction-only skill does what it says, but users should handle Telegram tokens and OpenClaw config edits carefully.

Before installing, confirm the OpenClaw config path matches your machine, back up openclaw.json, use a dedicated Telegram bot token, avoid sharing or pasting real tokens into logs/screenshots/chat, restrict allowFrom to trusted Telegram user IDs, and prefer an isolated workspace for the new agent.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (3)

Missing User Warnings

High

Confidence: 94% confidence
Finding: The skill instructs collection and insertion of a Telegram bot token into configuration without any guidance on secret handling, redaction, storage protections, or avoiding echoing the token back to the user. Because bot tokens grant control over the Telegram bot, exposing them in chat history, logs, screenshots, or assistant responses can lead to account takeover and persistent compromise of the bot integration.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill directs modification of a live configuration file and creation of persistent workspace directories without warning about backup, validation, permissions, rollback, or service-impact considerations. Mistakes here can break the OpenClaw deployment, create unauthorized agent bindings, or leave persistent directories containing sensitive data with unsafe defaults.

Ssd 3

Medium

Confidence: 92% confidence
Finding: The example includes a realistic-looking bot token and user ID, which normalizes placing sensitive credentials directly into documentation and responses. Even if the token is illustrative, users may copy the pattern into chats, commits, or shared docs, and if the token is real it could immediately expose control of the bot.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.