Openclaw Security Toolkit

Security checks across malware telemetry and agentic risk

Overview

This looks like a legitimate local OpenClaw security tool, but it handles live secrets and token changes too openly for automatic approval.

Install only if you are comfortable running a local admin tool that reads OpenClaw credential and access files. Treat JSON scan/report output and saved reports as sensitive, avoid sharing terminal logs, and run token rotation or --fix only in a trusted terminal after backing up your OpenClaw config.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (9)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 86% confidence
Finding: The skill advertises commands that can read from and write to local files, but it does not declare any permissions or warn users about those capabilities. This weakens trust boundaries because a user or platform may assume the skill is read-only or lower risk when it can actually modify configuration and report files.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 92% confidence
Finding: The declared description emphasizes auditing and reporting, but the documented behavior also includes rotating tokens, modifying OpenClaw configuration, and applying hardening fixes. That mismatch is dangerous because users may invoke a seemingly diagnostic security tool without realizing it performs state-changing operations that affect authentication and system configuration.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The function goes beyond passive security auditing and directly modifies authentication configuration, then returns the newly set credential to the caller. In a security-oriented skill, this increases risk because secrets are both persisted and exposed through program output or upstream consumers, creating an avoidable credential disclosure path.

Intent-Code Divergence

High

Confidence: 97% confidence
Finding: The function contract implies informational output, but the implementation includes the full new token in the returned dictionary. Callers may log, serialize, or display that structure under the assumption it contains only non-sensitive metadata, causing silent credential leakage into logs, reports, or agent traces.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The changelog advertises secret scanning, token management, access control, and an automatic hardening mode with '--fix' but does not warn that these actions may inspect sensitive local data or modify security-relevant system state. In a security-focused skill, omission of consent, preview, and rollback expectations can lead users to run invasive scans or configuration changes without understanding privacy or operational consequences.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill documents auto-fix and hardening commands without any warning that they may change system or configuration state. In a security-focused skill, users may trust the tool and run recommended commands quickly, increasing the chance of unintended configuration changes, service disruption, or lockout if fixes are applied automatically.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The script prints a full JSON dump of access-control information, including paired devices, full device identifiers, pending pairings, channel membership data, and potentially user/account identifiers, without any warning, redaction, or access check. In a security-oriented skill, this increases the risk of accidental disclosure through terminal logs, screenshots, shell history capture, CI output, or use by lower-privileged operators who should not see full access metadata.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The Markdown formatter includes secret scan findings with exact file paths, line numbers, and secret names, which can disclose sensitive repository structure and identifiers to anyone who receives the report. In a security-reporting skill, this is especially risky because reports are likely to be shared broadly or exported, turning a defensive scan into an information disclosure channel.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: After writing the new credential to disk, the code returns it without any warning or handling constraints, making accidental exposure likely through CLI output, logs, telemetry, or higher-level orchestration. In the context of a security guard skill, users may especially trust its outputs and route them into reports, which amplifies disclosure risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal