Openclaw Plugin

Security checks across malware telemetry and agentic risk

Overview

This GitHub sync skill matches its purpose, but it can automatically upload and download OpenClaw skills, memory, and settings without per-session approval.

Install only if you intentionally want GitHub-backed workspace sync. Use a private dedicated repository, review which paths are synced, consider setting autoSync to false until you trust the workflow, and avoid syncing secrets or sensitive memory.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Rogue AgentSelf-Modification, Session Persistence
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (10)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill advertises `/push` and `/reset` capabilities that can transfer workspace data to GitHub or remove local sync configuration, but it provides no warning about the sensitivity of synced content or the consequences of destructive actions. In a sync skill, users may reasonably trigger these commands without realizing they could upload secrets, private memory, or overwrite local state, making this a real safety issue even if it is not overtly malicious.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The hook is configured to run automatically on every session start, which is a broad trigger for an operation that can modify local workspace state by pulling remote content. In the context of a GitHub-based sync skill, this increases the chance of unexpected code, configuration, or memory changes being introduced without an explicit user action or tight scoping.

Missing User Warnings

High

Confidence: 93% confidence
Finding: The description states that the hook automatically pulls workspace files from GitHub on session start and 'runs silently,' but it does not warn users that local skills, memory, and settings may be modified automatically. That lack of warning is dangerous because users may begin a session assuming a stable local environment while remote-controlled changes are applied invisibly, potentially affecting later agent behavior or security posture.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The hook is configured to run automatically on session_end and its description says it 'runs silently' while pushing workspace changes to GitHub. That creates a real risk of unintentionally exfiltrating sensitive workspace contents, tokens, notes, or proprietary code without an explicit user warning or consent at the time of push.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The handler automatically calls autoPush() at session end and silently pushes files to GitHub without obtaining explicit user consent at the time of transfer. In a sync skill that handles workspace data such as skills, memory, and settings, this can expose sensitive or unintended content to a remote repository, especially because errors are suppressed and the only notice comes after a successful push.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The manifest explicitly advertises cross-device syncing of workspace content via GitHub, including skills, memory, and settings, and also offers auto-sync. Without an explicit warning, scope limitation, or consent language in the manifest, users may unknowingly transmit sensitive local workspace data to a remote repository, increasing the risk of privacy leaks or accidental exposure.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill instructs the agent to pull files into the workspace and explicitly allows a conflict action that overwrites local files, but it does not present an upfront warning about modification and data-loss risk before execution. In an agent setting, that omission can cause users to authorize or trigger the skill without understanding that workspace contents may change or be irreversibly replaced during conflict resolution.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The skill directs the agent to create a config file and perform an initial pull that writes files into the local OpenClaw workspace, but it does not require an explicit warning or confirmation immediately before making those changes. Because the pulled content includes skills, memory, and configuration-like files from a remote repository, this can overwrite or introduce persistent local state in a way the user may not fully anticipate.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The plugin automatically pushes workspace contents to GitHub on session end without a user-facing warning, confirmation, or per-operation consent at the point data leaves the system. Because the synced scope includes sensitive workspace data such as skills, memory, and settings, this can unintentionally exfiltrate private or security-relevant information to a remote repository if users are unaware autoSync is enabled.

Session Persistence

Medium

Category: Rogue Agent
Content: Ask the user for their sync repo in `owner/repo` format. This is the GitHub repository where their OpenClaw workspace files will be stored. If they don't have one yet, suggest they create a new private repo on GitHub first. ### 3. Create Config
Confidence: 80% confidence
Finding: create a new private repo on GitHub first. ### 3. Create Config Ask the user which items to sync (default: all three): - Skills (`~/.openclaw/workspace/skills`) - Memory (`~/.openclaw

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal