OpenClaw Setup on AWS (Free Tier) - Memory Upgrade

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent OpenClaw setup guide, but it asks an agent to handle cloud administration, live credentials, Google data access, and persistent automation with weak boundaries.

Install only if you are comfortable letting an AI agent administer a cloud server and configure a persistent assistant with access to messaging, paid APIs, and possibly Google Workspace data. Use fresh least-privilege credentials, avoid pasting long-lived secrets into chat where possible, review privileged commands before they run, verify package sources, limit OAuth scopes, and make sure you know how to stop the service, revoke tokens, and delete stored memory.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (11)

Missing User Warnings

High

Confidence: 99% confidence
Finding: The skill instructs the agent to collect highly sensitive credentials such as API keys directly from the user and handle them in-chat, without any warning about confidentiality, scope, or safe handling. In this context, the agent is also told to perform deployment actions, so centralizing secrets in the chat/session materially increases the chance of credential exposure, logging, reuse, or accidental disclosure.

Missing User Warnings

High

Confidence: 99% confidence
Finding: A Telegram bot token grants control over the bot and can be abused for impersonation, message interception, or service takeover if exposed. The skill explicitly tells the user to send the token to the agent without any safety guidance, which is especially dangerous in a setup workflow that normalizes sharing operational secrets conversationally.

Missing User Warnings

High

Confidence: 98% confidence
Finding: Google OAuth client secret files are sensitive artifacts that can facilitate unauthorized OAuth flows or broaden access if mishandled. The skill tells the user to download and use the file with no warning about sensitivity, storage hygiene, or least-privilege considerations, increasing the risk of accidental disclosure.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The skill recommends putting sensitive credential material, including a password, into .bashrc or a systemd unit, both of which commonly expose secrets to local users, process inspection, backups, logs, or administrative tooling. In this context, the credentials protect access to Google-integrated data, so plaintext persistence significantly increases compromise impact.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The service configuration example includes plaintext environment variables for a keyring password and account identity, normalizing insecure secret storage in a long-lived privileged service definition. This makes credential theft easier through file reads, backup leakage, administrative inspection, or misconfiguration, and is particularly risky because it enables access to email, calendar, and other personal data.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The guide markets persistent memory, broad app control, messaging access, and proactive automation as benefits without warning users about the privacy, consent, and permission risks of granting an agent continuous access to personal systems. In this context, users may underestimate that the assistant could read, retain, or act on sensitive data and perform unintended actions across integrated services.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: Google Workspace integration and browser automation inherently involve access to highly sensitive email, calendar, files, and web sessions, yet the guide presents these capabilities without any caution about data exposure, modification, or transmission. Because this skill is specifically about deploying a persistent autonomous assistant, the absence of warnings and guardrails makes accidental over-privileging and unintended data handling substantially more dangerous.

Missing User Warnings

High

Confidence: 98% confidence
Finding: Telling users to give the instructions to any AI agent to perform full AWS provisioning and installation from scratch encourages autonomous infrastructure changes and credential handling without warning about the risks of exposing API keys, cloud permissions, or destructive system actions. This is especially dangerous because the skill claims end-to-end setup across cloud, bot, API, and workspace integrations, creating a high likelihood of excessive permissions and unsafe secret handling by the agent.

Ssd 3

High

Confidence: 99% confidence
Finding: The instruction explicitly directs the agent to collect user secrets for configuration, which creates a direct data-exposure path and trains users to divulge credentials to an automated intermediary. Because the skill then uses those secrets for deployment, the design expands the attack surface to chat history, agent memory, and any connected tooling.

Ssd 3

High

Confidence: 99% confidence
Finding: Telling the user to send the Telegram bot token to the assistant is a direct request for a live credential that can be used for bot compromise and impersonation. The danger is amplified because the instruction is framed as a normal setup step, making unsafe credential sharing appear expected and acceptable.

Ssd 3

Medium

Confidence: 84% confidence
Finding: The training text says the assistant 'remembers everything,' which normalizes broad, indefinite retention of user-provided information without discussing minimization, retention limits, or sensitive-data exclusions. In a personal-assistant context handling messages, voice, and potentially email/calendar data, this creates meaningful privacy and secondary-exposure risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal