ClawHub
Back to skill

Security audit

OpenClaw Claude Delegate

Security checks across malware telemetry and agentic risk

Overview

This is a real Claude delegation wrapper, but it grants broad local execution and copies/sources sensitive Claude credentials in ways users should review carefully before installing.

Install only if you intentionally want OpenClaw agents to use your local Claude Code account. Prefer the native skill install or a reviewed local clone over curl-to-bash, use a dedicated non-root runner with separate credentials, narrow profiles away from your whole home directory, avoid --notify-cmd unless you fully trust the command source, and review/revoke any copied Claude credentials if you uninstall.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (16)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill advertises operational shell, file-read, and file-write behavior but does not declare permissions, which weakens reviewability and consent boundaries for anyone invoking it. In a delegation skill that can dispatch local workers and touch host files, hidden capabilities increase the chance of unintended execution or overbroad access.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented purpose understates substantial behaviors: installation from local/GitHub sources, global symlink creation, setup probes, credential/config copying, ACPX integration, workspace prompt injection, and completion callbacks. This mismatch is dangerous because operators may trust the minimal description and invoke a skill that can modify the host, move credentials, and ingest untrusted workspace instructions with broader effects than disclosed.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The --notify-cmd option stores attacker-controlled shell text and later executes it via `bash -lc "$notify_cmd"` with task metadata in environment variables. Any caller able to dispatch or resume a task can therefore achieve arbitrary local command execution, which is broader than notification behavior and especially dangerous in an agent skill that may process untrusted task inputs.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The script copies Claude authentication material from /root into a less-privileged user's home directory, intentionally extending root-held service access to another account. Even though file mode 600 is applied, this is still a credential transfer that broadens the trust boundary and enables the runner user to act with the root user's Claude identity if that account is compromised or misused.

Description-Behavior Mismatch

Low
Confidence
84% confidence
Finding
The script copies root ACPX configuration into the delegated user's home, which can expose trusted endpoints, tokens, or privileged runtime settings to another principal. Even if the config is not always secret, inheriting root's automation configuration can unintentionally grant access or alter execution behavior under a different user context.

Context-Inappropriate Capability

Low
Confidence
82% confidence
Finding
The provisioning flow performs npm installation during setup, introducing network-based dependency retrieval and supply-chain risk into a privileged administration path. Although the install is run as the non-root user, the script resolves the package spec from local metadata and automatically fetches code without integrity pinning or operator review.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The document explicitly recommends a `curl | bash` installation flow, which executes remote shell code immediately without giving users a chance to inspect, verify, or pin integrity beyond the tagged URL. If the remote source, release tag, GitHub account, or network path is compromised, users could run arbitrary code on their system during installation.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The launch copy advertises an optional `bypassPermissions` path as a feature without any warning that it weakens or circumvents normal permission controls. In a tool meant to delegate work to an automated agent, normalizing permission bypass increases the chance that users enable dangerous execution paths without understanding the security tradeoff.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The README explicitly recommends executing a network-fetched installer with `curl ... | bash`, which is a well-known unsafe pattern because it grants immediate code execution to whatever is served at that URL at install time. In this skill's context, the danger is increased because the installer sets up a local worker lane, touches authentication state, and may operate in privileged or semi-privileged environments, so a compromised script could exfiltrate tokens or establish persistence.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation promotes an optional non-root bypassPermissions runner without clearly warning that bypassing permission checks reduces safety controls and may permit broader local command/file actions than expected. In this context, the skill already acts as a local delegation lane, so normalizing bypass behavior makes misuse or accidental overreach more likely.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The installer fetches code from GitHub and then executes additional local setup logic without any trust verification such as checksum/signature validation or pinning to an immutable commit. This creates a supply-chain risk: if the repository, branch, tag, or network path is compromised, users may install and run attacker-controlled code.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The setup instructions explicitly recommend piping a remotely fetched script from GitHub directly into bash. This creates a supply-chain and integrity risk because users execute unreviewed network content immediately, and the script is described as performing installation and setup actions on the host. In this skill’s context, the risk is elevated because the installer configures auth, runners, and local execution paths, so compromise could affect credentials and local agent execution.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The documentation states that installation creates files in the user's home directory and sets up a wrapper, but it does not present a clear up-front warning about the scope of changes before users are encouraged to run the installer. This is primarily a transparency and safety issue rather than an exploit by itself, but it can lead users to run host-modifying setup without informed consent.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
This line is the execution point for the notify hook and runs arbitrary shell content without confirmation, warning, or restriction. In this skill context, silent hook execution is particularly dangerous because orchestration features may be exposed to other agents or workflows that treat parameters as data, turning a convenience callback into a command-injection primitive.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script sources an environment file from a user-controlled path using the shell dot operator, which executes arbitrary shell code, not just variable assignments. Because this skill is explicitly designed to run Claude with delegated credentials and may execute as root or via sudo, a modified token file can become a code-execution and privilege-boundary issue in addition to credential loading.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This script forwards task metadata, session identifiers, verification state, file paths, file existence/size, continuation hints, and a result preview into another OpenClaw session via a CLI call. If any of these fields contain sensitive information, the script performs cross-session disclosure without an explicit user confirmation or minimization step, which can leak data to a broader audience than intended.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal