OpenClaw Ops

Security checks across malware telemetry and agentic risk

Overview

This appears to be real OpenClaw operations tooling, but it can expose sensitive logs, config, session content, and modify staging without strong access controls.

Install only in a trusted admin environment. Before using it in shared or production deployments, require authentication for config, logs, staging-smoke, skills inventory, and all observer commands; disable or disclose session/message logging; review the workspace shell script used by /privacy-scan; and grant any GitHub PAT only the minimum repositories and issue-label permissions needed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (17)

Description-Behavior Mismatch

Medium

Confidence: 82% confidence
Finding: The manifest frames the skill as deployment operations tooling, yet it also includes GitHub privacy scanning and issue triage across repositories. That undocumented scope expansion increases attack surface and can lead operators to install repository-scanning and issue-modification capabilities they did not intend to authorize.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The command enumerates and returns process environment variables for several broad prefixes, including provider credentials such as OPENAI, ANTHROPIC, and AZURE values. Although it attempts masking based on key names, this still exposes sensitive operational context and can leak secrets when variable names do not match the masking patterns or when partial-value disclosure is unsafe.

Description-Behavior Mismatch

Low

Confidence: 88% confidence
Finding: The configuration command reveals host and filesystem details such as the home directory, workspace path, and OpenClaw config location. These details aid local reconnaissance and reduce attacker uncertainty about where configs, plugins, and other sensitive files are stored.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The /staging-smoke command is framed as an operational smoke test, but it makes real state-changing actions across every workspace plugin: it modifies staging plugin allowlists, installs plugins, restarts the gateway, and writes reports. In a low-friction command surface with requireAuth: false and no confirmation step, this creates a broad deployment-manipulation primitive that can affect availability and configuration far beyond passive monitoring.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The /privacy-scan command claims to be safe and report-only, but it executes a shell script located in the workspace with bash. Because the script contents are external to this file and unconstrained, anyone who can alter that script or influence the workspace can turn a supposedly harmless reporting command into arbitrary code execution under the agent's privileges.

Intent-Code Divergence

Medium

Confidence: 89% confidence
Finding: The mismatch between the description 'safe, report-only' and the actual behavior of invoking bash on a workspace script is security-relevant because it lowers operator suspicion and may cause unsafe use of the command. Deceptive or inaccurate safety labeling is especially dangerous in agent skills, where users may rely on descriptions to decide whether execution is harmless.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The file explicitly implements surveillance of AI conversations across all sessions and reads memory-store JSONL files, which exceeds a deployment-operations skill's stated purpose. This creates unauthorized access to sensitive conversation and memory content, including cross-session data that operators or other users may not expect to be collected or exposed.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The message_received hook captures inbound message content and stores previews in a persistent event log for all sessions, while the registered commands expose aggregated cross-session activity. In a skill described as operational commands for deployments, this broad surveillance capability is unjustified and dangerous because it enables administrators or compromised accounts to inspect unrelated conversations.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The code reads all .jsonl files under the workspace memory directory and exposes memory-write previews, tags, channels, and conversation IDs. Memory stores often contain sensitive summaries, secrets, or personal data, so surfacing them through observer commands materially increases the risk of data leakage beyond the skill's stated deployment-management function.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: This code scans the workspace and its parent directory for all local openclaw-* plugins, parses their source files, and exposes their metadata and registered commands to any caller via unauthenticated commands. That creates an information disclosure surface beyond the stated operational-management purpose, revealing installed capabilities and local development inventory that could help an attacker map the environment and target sensitive plugins.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The /skills output includes each plugin's absolute or local filesystem path and is registered with requireAuth: false, so path information is disclosed without authentication. Filesystem paths aid reconnaissance by exposing directory layout, usernames, mount points, and development structure, which can be chained with other weaknesses for targeted exploitation or data access attempts.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The proposed /backup and /restore commands describe full backup and disaster recovery capabilities but omit explicit user-facing warnings, confirmation requirements, and safe defaults for operations that can overwrite configuration, workspace state, or historical data. In an ops-focused skill, these commands are likely to be implemented and used on live systems, so undocumented destructive potential materially increases the risk of accidental data loss or unsafe recovery actions.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The /runbook command includes automated runbook execution without warning that runbooks may perform privileged, state-changing, or destructive operational steps. Because this skill is explicitly for operational management, runbook automation can trigger real service restarts, configuration changes, or recovery procedures, making the lack of safety messaging and execution controls a meaningful risk.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: This command combines multiple categories of sensitive local information—filesystem paths, plugin locations, config content, and environment variable values—without warning or access restriction. In an operational skill, such broad disclosure increases the blast radius of any misuse because a caller can collect reconnaissance and potentially sensitive configuration data from a single command.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The /staging-smoke flow performs multiple mutating operations—config set, plugin install, gateway restart, and report writes—without any warning, dry-run mode, or confirmation. In an ops skill where commands are easy to invoke and authentication is disabled, the absence of guardrails materially increases the chance of accidental or unauthorized disruption to staging systems.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: Conversation content is persistently logged to ~/.openclaw/workspace/observer/events.jsonl and later surfaced through commands, yet the command descriptions do not provide meaningful disclosure that user content is being recorded and retained. This undermines user expectations and privacy controls, and can turn routine operational access into silent content surveillance.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The /logs command is registered with requireAuth: false and returns arbitrary recent log contents directly to any caller. Operational logs commonly contain secrets, tokens, internal endpoints, stack traces, user prompts, and other sensitive data, so unauthenticated log disclosure is a real information exposure issue even if the code does not explicitly warn users.

VirusTotal

No VirusTotal findings

View on VirusTotal