ClawHub

OpenClaw macOS Always-On

Security checks across malware telemetry and agentic risk

Overview

This skill is purpose-aligned, but it installs a persistent macOS system service and stores a gateway token in a broadly readable plist, so it needs careful review before use.

Install only if you intentionally want OpenClaw to run after lock, logout, and reboot. Avoid the one-line curl-to-bash command; download a pinned version, inspect it, and understand that it will create a sudo-managed LaunchDaemon. Do not use this unchanged on a shared Mac unless you are comfortable with other local users potentially reading the gateway token from the plist; prefer Keychain or another restricted secret store and rotate the token after testing or uninstalling.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The README states that a system LaunchDaemon runs 'as your user', which is misleading because LaunchDaemons typically run as root unless a UserName is explicitly set. In this skill's context, that misunderstanding is dangerous because the whole purpose is persistent background execution with admin installation, so users may unknowingly deploy the bot with elevated privileges and broader system access than intended.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The README states the LaunchDaemon runs 'as your user', but the examples and paths clearly show a system LaunchDaemon context under /Library/LaunchDaemons managed with sudo launchctl system/. This is dangerous because it can mislead operators about privilege boundaries, causing them to assume lower risk while deploying a system-level persistent service with broader impact and different security properties.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The document repeatedly claims the LaunchDaemon setup uses caffeinate for lock-screen persistence, but the automated installer generates a plist that executes node directly without caffeinate. This mismatch can mislead users into deploying a configuration with different persistence and sleep behavior than documented, undermining security review and operational expectations.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The skill states the gateway token in the plist is readable only by root and the user, but it instructs users to install the plist with mode 644, which is world-readable. Because the token is stored in EnvironmentVariables, any local user can read the plist and recover the credential, enabling unauthorized access or impersonation.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The README recommends executing a remotely fetched script directly with bash, which removes the user's opportunity to inspect the code before running it. Because installation requires admin access and modifies system persistence mechanisms, compromise of the GitHub account, repository, branch, or network path could lead to arbitrary code execution and full system takeover.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The README recommends executing a remote script directly via curl | bash, which removes the opportunity for users to inspect the script before execution and creates a single-step path to arbitrary code execution. In this skill's context, the script is for installing a persistent system service and likely requires elevated privileges, making compromise of the repository, branch, or delivery path especially dangerous.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
These instructions install a persistent system-level LaunchDaemon using sudo but do not prominently warn that this creates boot-time persistence and changes trust boundaries on the host. In a skill context, that omission is significant because users may follow the commands without appreciating the lasting security implications.

Missing User Warnings

High
Confidence
98% confidence
Finding
The one-command install fetches and executes remote code via curl piped to bash without pinning, signature verification, or a strong safety warning. This exposes users to repository compromise, MITM in weaker environments, or accidental execution of changed code with little opportunity to inspect what will run.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script embeds the gateway token directly into a persistent LaunchDaemon plist under /Library/LaunchDaemons, making the credential long-lived and more broadly exposed than a transient runtime secret. Because the plist is later set to mode 644, local users can potentially read the token, enabling unauthorized use of the gateway service or impersonation of the agent.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script stops existing services, replaces startup configuration, and bootstraps a persistent system service with sudo without an explicit confirmation step. In a security-sensitive installer, making privileged persistence changes non-interactively increases the risk of accidental deployment, especially because this skill is specifically designed to survive logout, lock, and user switching.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal