Back to skill

Security audit

ClawSecCheck — OpenClaw Security Self-Audit

Security checks across malware telemetry and agentic risk

Overview

This is a local OpenClaw security-audit skill whose sensitive reads and local writes are disclosed and aligned with its purpose.

Install only if you are comfortable with a local security scanner reading your OpenClaw configuration, bootstrap files, logs, session metadata, installed skills/plugins, and path-existence indicators for credential stores. Use --no-history for private one-off scans, --no-host to skip host posture checks, and --no-native if you do not want it to invoke the local OpenClaw CLI audit.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill has broad effective capabilities: it reads extensive local files, writes its own state and reports, can invoke an external command, and directs the host agent to perform additional probes or fetch-related actions in some flows. Even if framed as a security audit, the absence of declared permissions creates a transparency and least-privilege gap that can surprise users and weaken policy enforcement.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The top-level description emphasizes a local, read-only self-audit, but the body authorizes broader behavior: subprocess execution, persistent local state beyond simple reports, active canary/red-team flows, and workflows that instruct the host agent to run commands or check for updates. This mismatch can mislead users and reviewers into approving a skill under a narrower trust model than its real behavior warrants.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
This code expands scanning into Codex CLI connector plugin caches under agents/*/agent/codex-home/.tmp/plugins/plugins/, which is broader than the skill’s stated OpenClaw-only self-audit scope. Even though it is read-only and framed as informational, it inspects third-party cache content outside the advertised target boundary, increasing collection of local metadata and potentially surprising users about what the skill reads.

Context-Inappropriate Capability

Low
Confidence
82% confidence
Finding
The orphaned plugin cache checks enumerate on-disk plugin cache directories in ~/.openclaw/npm/projects/ and agents/*/agent/plugins/ even when they are not declared in the active plugin manifest/config. This is still local and read-only, but it broadens filesystem inspection beyond the narrower installed-skills/plugin scope users may expect, creating a scope-creep and data-minimization issue rather than direct code-execution risk.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The activation phrases include very broad terms like 'security check', 'am I vulnerable', and 'audit me', which can trigger this highly privileged inspection skill in contexts where the user did not specifically intend an OpenClaw host audit. Because the skill reads sensitive local configuration, logs, installed skills, and host-security signals, accidental invocation increases unnecessary data exposure and operational risk.

Unsafe Defaults

Medium
Category
Tool Misuse
Content
for target in (real, os.path.dirname(real)):
            mode = os.stat(target).st_mode
            if mode & (stat.S_IWGRP | stat.S_IWOTH):
                return "group/world-writable install path"
    except OSError:
        return None
    return None
Confidence
67% confidence
Finding
world-writable

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.dynamic_code_execution, suspicious.env_credential_access (+1 more)

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
clawseccheck/skillast.py:1223

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
clawseccheck/checks/_content.py:1161

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
clawseccheck/skillast.py:1223

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
clawseccheck/checks/_content.py:1398

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
CHANGELOG.md:1