Nodetool
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: nodetool Version: 0.6.3 The `SKILL.md` file instructs the execution of remote scripts via `curl | bash` and `irm | iex` for installation from GitHub (e.g., `https://raw.githubusercontent.com/nodetool-ai/nodetool/refs/heads/main/install.sh`). This presents a significant supply chain risk, as the content of these external scripts is not part of the analyzed bundle and could change, leading to arbitrary code execution. Additionally, the described `nodetool` CLI offers broad system interaction capabilities, including starting network services (`nodetool serve`, `nodetool proxy`), managing local AI model caches, and a command to "View settings and secrets" (`nodetool settings show`), which, while potentially legitimate for its purpose, increases the attack surface. The non-interactive installation mode further exacerbates this risk by skipping user prompts.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing this way gives the remote installer code the ability to change the local machine.
The documented installer runs a remote script from a mutable GitHub branch, and that script is not included in the provided artifacts for review.
curl -fsSL https://raw.githubusercontent.com/nodetool-ai/nodetool/refs/heads/main/install.sh | bash
Review the install script first, prefer a pinned release or package manager if available, and avoid silent installation unless you trust the source.
Silent install mode could make system changes without interactive confirmation.
The skill documents non-interactive installation that skips prompts while executing remote code. This is expected for setup but should remain user-directed.
Both scripts support silent installation: ... curl -fsSL https://raw.githubusercontent.com/nodetool-ai/nodetool/refs/heads/main/install.sh | bash -y
Do not let an agent run silent installers automatically; use interactive mode and review prompts unless installing in a controlled CI environment.
Tokens or secrets provided to the CLI may become visible to the agent session or local shell history.
The documented workflow runner can receive user IDs and auth tokens. This is plausible for a workflow platform, but tokens are sensitive and may appear in command history or agent context.
echo '{"workflow_id":"abc","user_id":"1","auth_token":"token","params":{}}' | nodetool run --stdin --jsonlUse least-privilege tokens, avoid pasting real secrets into examples, and confirm before the agent runs commands containing credentials.
If run, this command could expose local configuration secrets to the agent or transcript.
The skill documents a command that may display stored secrets. This is an administrative capability and is not shown as automatic behavior.
# View settings and secrets nodetool settings show
Run secret-viewing commands only when necessary and redact sensitive output before sharing it.
A mistaken deployment command could create, modify, or remove cloud resources.
The deployment command set includes applying and destroying cloud deployments. This is aligned with the tool's deployment purpose, but these are high-impact administrative actions.
nodetool deploy apply ... nodetool deploy destroy <deployment_name>
Require explicit confirmation before running deployment-changing commands, and use plan/status commands before apply or destroy.
Services or jobs may keep running and expose local workflows or consume resources.
The skill documents background jobs, a network-exposed server, and a proxy daemon. These are expected for a workflow service but can continue running after the immediate task.
nodetool jobs start <workflow_id> ... nodetool serve --host 0.0.0.0 --port 8000 ... nodetool proxy-daemon
Start daemons or background jobs only when requested, bind to localhost unless external access is needed, and stop services when finished.