Openclaw Manager

Security checks across malware telemetry and agentic risk

Overview

This skill uses deployment-level access for OpenClaw operations, but the supplied evidence shows those actions are disclosed, purpose-aligned, and security-oriented.

Before installing, treat this as an administrative deployment skill: review the referenced security checklist, run it only in an OpenClaw environment you control, and verify where generated plans or ledger entries will be written. Prefer least-privilege credentials and confirm any action that writes secrets, changes deployment configuration, or exposes services to the network.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 87% confidence
Finding: The skill instructs the agent to read and write local files via helper scripts and an operations ledger, but the metadata does not declare corresponding permissions. This creates a capability/permission mismatch: an orchestrator or reviewer may treat the skill as less privileged than it really is, increasing the chance of unintended filesystem access or unauthorized state changes during deployment workflows.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal