ClawHub

huawei-cloud-flexus-l-server-openclaw-deployment

Security checks across malware telemetry and agentic risk

Overview

This skill appears intended to deploy OpenClaw on Huawei Cloud, but it handles credentials and billable cloud actions too broadly and leaks sensitive values into logs.

Install only if you are comfortable giving this skill Huawei Cloud credentials that can create billable resources and execute scripts on instances. Use temporary, least-privilege credentials, avoid passing secrets on the command line, review logs for exposed tokens/API keys, confirm all costs and auto-renew settings, restrict Web UI access to trusted IPs, and inspect the remote scripts before running model or channel installation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (16)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
print(f"Executing command: {install_command}")
        
        result = subprocess.run(
            install_command,
            shell=True,
            capture_output=True,
Confidence
99% confidence
Finding
result = subprocess.run( install_command, shell=True, capture_output=True, text=True )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
print(f"Executing command: {install_command}")
        
        result = subprocess.run(
            install_command,
            shell=True,
            capture_output=True,
Confidence
99% confidence
Finding
result = subprocess.run( install_command, shell=True, capture_output=True, text=True )

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The file says credentials must never appear in conversation or be exposed, but the usage examples instruct passing AK/SK/token directly on the command line. Command-line secrets are commonly exposed through shell history, process listings, logs, CI output, and support transcripts, directly undermining the stated security model. In a cloud-provisioning skill, leaked AK/SK could enable unauthorized resource creation or broader account compromise.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The local helper functions execute arbitrary shell commands and modify the local system, which exceeds the expected scope of a cloud deployment/configuration skill. In an agent context, this turns the host running the agent into a target, enabling unintended local code execution, privilege changes, and system modification.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The generic COC script creation and execution APIs allow the skill to create and run arbitrary scripts on target instances, far beyond narrowly deploying OpenClaw. In an agent environment, this materially broadens abuse potential because any prompt steering or misuse can convert the skill into a remote administration/backdoor mechanism.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The trigger phrases are broad enough to allow accidental activation from normal conversation, especially around generic deployment or model/channel-setting requests. Since this skill can perform shell execution, network actions, and billable cloud provisioning, unintended invocation could lead to costly or sensitive operations being initiated without clear user intent. The danger is elevated by the non-interactive automation pathways described elsewhere in the file.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill advertises non-interactive creation of cloud instances without clearly warning that this creates billable resources. Users may invoke automation assuming it is a dry run or configuration helper, when it can actually create infrastructure and incur charges. In a deployment skill, missing cost and side-effect disclosure meaningfully increases the chance of accidental financial impact.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The document recommends a single custom policy that grants wildcard-scoped create, execute, query, and delete permissions across compute instances, scripts, and IAM project enumeration. In the context of a deployment skill, this broad policy can normalize excessive privilege and lead users to grant more access than necessary, increasing the blast radius if the skill, credentials, or automation are misused or compromised.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The verification steps instruct users to open port 18789 to the public internet for Web UI access, but they do not warn about exposure risks or recommend restricting source IPs, using HTTPS, or requiring strong authentication. In the context of deploying an application management platform, exposing an admin-facing UI can increase the attack surface and may enable unauthorized access, credential attacks, or exploitation of any web vulnerabilities in the service.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script prints the full `channel_list` during installation configuration, and that JSON is documented to contain sensitive fields like `secret`. This can expose bot or channel credentials to terminal output, logs, CI systems, shell history capture, or operator screenshots, allowing unauthorized reuse of those secrets.

Missing User Warnings

High
Confidence
99% confidence
Finding
The code prints the `Authorization` header and full request headers during instance creation, exposing credential-bearing material to logs or consoles. Anyone with access to those logs may be able to replay requests or recover sensitive signing data, especially in shared agent or CI environments.

Missing User Warnings

High
Confidence
94% confidence
Finding
This function enables arbitrary remote script execution as a caller-specified user without any built-in warning, approval gate, or scope restriction. In the context of an agent skill, that makes prompt-driven misuse significantly more dangerous because the tool can directly alter or compromise remote instances.

Missing User Warnings

High
Confidence
99% confidence
Finding
The local model installation path fetches and executes a remote shell script, then performs privileged local system modifications, all without an explicit warning or isolation boundary. In an agent setting, this is especially dangerous because a cloud-deployment skill unexpectedly gains direct code-execution capability on the host machine running the agent.

Missing User Warnings

High
Confidence
99% confidence
Finding
This local channel installation routine also downloads and executes a remote script and then alters the host system, without a clear safety boundary or warning. Because the skill is supposed to manage cloud deployment, this host-level execution is unexpectedly powerful and amplifies the risk of agent misuse or supply-chain compromise.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The function logs full signed request headers during UniAgent status queries, which can leak authorization material or security tokens into logs. Even if the signature is time-bound, exposing credential-bearing headers increases the attack surface and can aid replay or credential misuse in adjacent systems.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code prints the full `model_params` value in the installation summary, and the example payload explicitly includes secrets such as `api_key`. This can expose credentials to terminals, shell history capture, CI logs, remote session transcripts, or support screenshots, creating a practical secret disclosure risk.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal