Openclaw Health Audit

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent OpenClaw health-audit tool, but it can persistently schedule agent work and change cron/session state with incomplete warnings and inconsistent external-reporting disclosure.

Install only if you want this skill to administer your OpenClaw runtime. Before running the wizard, disable the recurring cron job unless you need it, run reports in dry-run mode first, back up `~/.openclaw/cron/jobs.json` and `session_model_state.json`, and do not use `health fix all` until you have reviewed exactly which cron jobs and session entries it will change. Treat Telegram/Discord report delivery as an external data flow.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (13)

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The installer writes an autonomous cron job that causes periodic agentTurn execution with instructions to message the user and potentially perform repairs based on later replies. That creates persistent post-install behavior and expands the skill from local auditing into unattended agent orchestration, which can trigger unintended actions, social-engineering opportunities, or abuse if the cron/jobs.json channel is trusted by the broader platform.

Context-Inappropriate Capability

Medium

Confidence: 86% confidence
Finding: A setup wizard that executes another script during installation increases the attack surface and violates least surprise, especially in a security-sensitive agent ecosystem where bundled scripts may later change or be replaced. Even though this invocation is local and non-shell, install-time code execution can be abused to run logic the user did not intend as part of configuration.

Description-Behavior Mismatch

Medium

Confidence: 83% confidence
Finding: The skill is framed primarily as health monitoring/audit, but it includes automatic repair routines that rewrite cron configuration and persisted session state. In an agent context, this can cause unauthorized or unexpected integrity changes to operational files, especially if a user invokes a broad fix command without understanding the consequences.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The cron template is not limited to passive health auditing: it also instructs the agent to send results over Telegram and later execute repair commands based on user replies. This expands the trust boundary from local monitoring into external messaging and remote-triggered remediation, creating a realistic path to unintended or unauthorized changes if messages are spoofed, misrouted, or misunderstood.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: Sending audit output through Telegram grants an outbound communications capability that is not necessary for basic health checking and may expose operational details to an external service. Health reports can contain system state, file paths, error data, or other sensitive metadata that increases reconnaissance value if intercepted, forwarded, or delivered to the wrong recipient.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The README advertises 'auto-repair' behavior and optional Cron registration, but it does not clearly warn users that running the setup can modify local configuration and install persistent scheduled tasks. In an agent-skill context, this is risky because operators may treat README commands as low-risk documentation and trigger state-changing actions without understanding persistence, scope, or rollback implications.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The README provides direct commands for '--fix' and especially '--fix all' without a prominent warning that these operations may make irreversible or environment-specific changes. In a security review, this increases the chance of unsafe execution by users or agents, particularly because the skill is framed as automated health repair and could affect sessions, configs, or scheduled jobs.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The README advertises automatic repair actions such as Cron isolation and session cleanup without clearly warning that these operations may modify system configuration or delete state. In an operational skill focused on health auditing and auto-remediation, users may reasonably execute suggested fixes assuming they are low-risk, which can lead to unintended service disruption, loss of session data, or misconfiguration.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: Presenting a one-click "health fix all" command without a strong caution encourages bulk automatic changes whose scope is not fully described in the README. Because this skill claims to alter Cron behavior and clean sessions, a single command could cause broad state changes or outages if run in the wrong environment or against incorrect targets.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: Using a broad trigger term like `audit` can cause the skill to activate in unrelated conversations, increasing the chance of unintended execution. In a skill that can run scripts and perform automatic fixes, overbroad invocation raises the risk of accidental privileged actions from ambiguous user phrasing.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The orphan-session cleanup permanently deletes persisted session entries based only on age, with no backup, confirmation, or safety interlock in the fixer path. In an agent-operated environment, this can destroy state unexpectedly and potentially disrupt recovery, routing, or historical continuity if triggered mistakenly or on manipulated timestamps.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The cron fix routine silently rewrites live job configuration, changing session association, timeout, and model selection. In an operational automation system, unexpected mutation of scheduler state can alter behavior, break workflows, or be abused as a privileged configuration-changing primitive if this script is callable by an agent.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The session integrity repair routine rewrites fallback chains in persistent state using synthesized defaults and provider substitution rules, without confirmation or rollback. Because these values control model routing, incorrect repair logic can silently redirect traffic, break failover behavior, or corrupt session semantics across the system.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal