ClawHub

OpenClaw Security Audit

Security checks across malware telemetry and agentic risk

Overview

This is a high-privilege security audit skill with broad local inspection, local report/baseline writes, and clearly opt-in Git/Telegram features that users should enable only deliberately.

Install and run this only on OpenClaw systems you own or administer. Review generated reports before sharing them, delete old /tmp audit reports if they contain sensitive findings, and enable Git backup, Telegram, or cron only after confirming the repository, remote, chat, and schedule are intended.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Tainted flow: 'req' from os.environ.get (line 988, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
}).encode()

        req = urllib.request.Request(url, data=data)
        with urllib.request.urlopen(req) as response:
            return response.getcode() == 200
    except Exception as e:
        append_report(f"\n{t('telegram_send_failed', str(e))}")
Confidence
98% confidence
Finding
with urllib.request.urlopen(req) as response:

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises high-privilege auditing behavior and explicitly invokes shell commands, reads environment data, writes reports, and supports optional networked features, but it declares no permissions. This is dangerous because users and policy engines cannot accurately assess or constrain what the skill can access, especially given its elevated access and ability to inspect sensitive data such as process environments and credential-like material.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documentation claims the skill is read-only and local-only, yet it writes reports and baselines, creates state on first run, and can perform Git pushes and Telegram notifications when enabled. In a high-privilege security tool, this mismatch is especially risky because operators may trust it with sensitive files, process environments, and DLP findings under false assumptions, leading to unintended persistence or external data disclosure.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The manifest says operations are read-only and local-only, but this function stages files, creates commits, and pushes to a remote repository. That discrepancy is dangerous because users may grant elevated access under false assumptions, while the code can export highly sensitive state and audit artifacts off-machine.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
Telegram notification is unrelated to a local, read-only audit and creates an unnecessary outbound channel. In context, this is more dangerous because the skill audits sensitive system state and users would not reasonably expect a messaging integration in a privileged scanner.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The comments claim external operations require explicit opt-in, but the code unconditionally runs 'openclaw update --check'. Depending on implementation, that may contact remote services and violates the stated trust model, which is especially problematic in a privileged auditing tool.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The Telegram path sends the generated summary over the network without any user-facing warning at execution time. Even with an environment-variable flag, the absence of strong disclosure and confirmation makes silent data leakage more likely in automated or inherited environments.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal