ClawHub

OpenClaw AWS Deploy

Security checks across malware telemetry and agentic risk

Overview

This is a real AWS deployment helper, but it grants broad cloud authority and installs a persistent agent with proactive personal-assistant behaviors that need careful review.

Review before installing. Prefer AWS SSO or an assume-role flow over IAM-user access keys, run setup_deployer_role.sh --dry-run, and narrow the deployer policy to the specific SSM parameter paths, tagged instances, and IAM role/profile names for this deployment. Disable or edit the default heartbeat, memory, and agent-to-agent settings if you only want an on-demand AWS-hosted agent. Treat .env.aws, Telegram tokens, Gemini keys, and generated AWS keys as secrets, and use teardown only after verifying the target output file, deployment ID, and AWS account.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill clearly instructs the agent to run shell commands that create, modify, and delete AWS infrastructure, but it does not declare corresponding permissions. That gap weakens reviewability and enforcement, because a caller may not realize the skill can execute privileged local shell operations against AWS credentials and the filesystem.

Tp4

High
Category
MCP Tool Poisoning
Confidence
90% confidence
Finding
The documented description understates the skill's operational scope: it can create IAM principals or access keys, run remote SSM commands, and perform additional monitoring and validation actions beyond simple deploy/teardown. This mismatch is dangerous because operators may grant or invoke the skill under an incomplete mental model, leading to over-privileged execution or unintended cloud changes.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The heartbeat instructions expand the skill far beyond AWS deployment by directing the agent to monitor email, calendar, repositories, and maintain persistent memory. In an AWS deployment skill, these unrelated capabilities create unjustified access to sensitive personal and project data and can cause autonomous actions outside the user's expected scope.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
These instructions grant personal-assistant style surveillance and outreach authority, such as checking email/calendar and deciding when to contact the user, which is unrelated to deploying OpenClaw on AWS. Because the declared skill context is infrastructure deployment, this mismatch makes the behavior more dangerous: users may authorize cloud setup but unknowingly enable monitoring of private communications and activity.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The troubleshooting text explicitly recommends removing systemd hardening controls such as ProtectHome, ProtectSystem=strict, and ReadWritePaths because they 'cause more issues than they solve.' That guidance weakens containment around the OpenClaw service and increases the blast radius if the service or a dependency is compromised.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The script claims an SSM-only posture but explicitly enables public IP assignment on the subnet and later retrieves/logs the instance public IP. Even without inbound security-group rules, placing the host on the public internet increases attack surface and violates the stated security model; future rule changes, default routes, agent bugs, or SSRF/egress abuse become more consequential on a publicly addressed instance.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The script explicitly supports creating an IAM user and then provisioning long-lived access keys, which expands the skill from deployment automation into credential issuance. Even if intended for convenience, long-lived user credentials materially increase attack surface because they are harder to rotate, easier to exfiltrate, and can persist beyond the deployment workflow.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The script generates AWS access keys and prints the secret access key directly to stdout, creating a clear credential exposure path through terminal history, logs, CI output, shell recording, or copy/paste mishandling. In a deployment skill, this is especially risky because the resulting credentials have infrastructure-management permissions and may remain valid indefinitely.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The script claims to grant 'minimum permissions,' but the included IAM policy allows broad role lifecycle operations and iam:PassRole over wildcarded role names, which is broader than a tightly scoped deploy-only posture. Misleading operators about the privilege level can cause overtrust and increase the blast radius if the deployer identity is abused or the naming convention overlaps with other roles.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README instructs users to place highly sensitive AWS and Telegram credentials into local environment files and use them during deployment, but it does not clearly warn that these values grant infrastructure access and bot control if exposed. In a deployment skill that provisions cloud resources and agent connectivity, missing secret-handling guidance increases the likelihood of credential leakage through commits, shell history, logs, screenshots, or shared workspaces.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The teardown section provides destructive commands without a prominent warning that they irreversibly delete deployed AWS infrastructure and may remove the running agent instance and associated resources. In an operational deployment skill, this can lead to accidental service loss, data loss, and unexpected environment destruction if a user runs the command casually or against the wrong deployment.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The teardown section provides one-command deletion of cloud resources but does not prominently warn that the operation is irreversible and may destroy infrastructure, logs, and instance-resident data. In an agent skill context, terse destructive commands increase the chance of accidental invocation, especially when the same skill also automates discovery by name or prior output.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The heartbeat guidance is vague ('do what makes sense', 'something interesting you found') and lacks precise boundaries, increasing the chance of unauthorized or unexpected autonomous behavior. Ambiguous trigger conditions are risky in agent skills because they can be interpreted broadly to justify repeated checks of sensitive systems or user-facing actions without clear approval.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The file instructs the agent to modify local persistent memory files without any user-facing disclosure, approval flow, retention policy, or scope limitation. Silent writes to local state can create privacy, integrity, and auditability issues, especially when the skill's stated purpose is AWS deployment rather than ongoing personal data management.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The guide instructs users to place live API keys into files and shell commands using placeholder examples, but it does not warn about shell history, file ownership, secret rotation, or safer secret stores. In an AWS deployment skill handling real credentials, this can lead to accidental exposure of provider tokens and persistent secret leakage on disk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal