ClawHub

Openclaw Optimizer

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate OpenClaw administration skill, but it should be reviewed carefully because it persists sensitive deployment knowledge and includes remote sync, self-update, and destructive repair guidance without consistently clear approval gates.

Install only if you want a skill with broad OpenClaw administration reach. Before using it, require explicit confirmation for every profile write, SKILL.md edit, SCP sync, cron/config mutation, identity-file change, repair command, and reset command. Do not store full secrets, token fragments, or unnecessary network details in the profile files, and review diffs plus remote destinations before applying any changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (14)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill claims to be advisory-by-default, but its normal workflow instructs creation and maintenance of persistent system profiles during standard sessions. That means routine use can silently write deployment intelligence, topology, cron inventory, and operational notes to disk even when the user asked only for an audit.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill’s stated purpose is setup optimization and troubleshooting, but this section expands behavior into maintaining shared knowledge bases, modifying the skill itself, and syncing files to remote systems over SCP. Those extra behaviors materially increase risk because they move from advice into propagation and persistent alteration across machines.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The document says updates are user-initiated and never automatic, but later sections instruct future sessions to actively update the skill and profiles during and after sessions. This contradiction weakens operator expectations and can normalize unauthorized writes under the guise of normal workflow.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The safety contract promises not to mutate persistent settings without explicit approval, yet the mandatory profile workflow requires writing persistent files regardless. Even if these are not runtime config files, they are still persistent state changes containing potentially sensitive deployment information, so the contract is materially misleading.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The code explicitly disables TLS certificate verification and hostname checking when no CA bundle is available, allowing a man-in-the-middle attacker to spoof api.github.com and control the reported latest version. The warning to stderr does not mitigate the security risk; it still accepts untrusted network data as authoritative.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
Because the version check may consume responses over unverified TLS, the tool can misreport update status based on attacker-injected API responses. In this skill context, the script is used for optimization and troubleshooting guidance, so incorrect version status can mislead operators into applying wrong advice or overlooking needed updates.

Vague Triggers

Medium
Confidence
84% confidence
Finding
Broad triggers such as common troubleshooting phrases increase the chance the skill activates in unrelated conversations. Because this skill includes shell, file, network, and persistence guidance, accidental invocation can expose users to unnecessary high-impact actions or cause the model to overreach into system administration tasks.

Vague Triggers

Medium
Confidence
84% confidence
Finding
Multiple triggers overlap with ordinary language about agents, improvement, identity, and audits. In a high-capability skill, overly generic invocation paths raise the likelihood of unintended loading and can steer sessions toward reading or modifying sensitive local files such as SOUL.md, USER.md, or deployment configs.

Missing User Warnings

High
Confidence
91% confidence
Finding
The reference explicitly documents remote structured command execution and raw shell execution on target nodes, plus allowlisting, without any nearby warning, trust-boundary guidance, or approval caveat. In a skill meant to optimize and troubleshoot OpenClaw setups, these commands materially increase the chance an agent or operator will execute high-impact actions across paired nodes, leading to remote code execution, lateral movement, or destructive admin actions if used unsafely.

Missing User Warnings

Low
Confidence
92% confidence
Finding
This documentation shows multiple examples of embedding secrets directly in shell commands, environment exports, and especially inline config objects such as `env: { MY_API_KEY: "sk-..." }`. Even though the file is reference documentation rather than executable code, users commonly copy-paste such examples into tracked config files, shell history, or shared notes, which can lead to credential leakage and downstream account compromise.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The troubleshooting guide recommends repair commands including forceful and non-interactive variants that can overwrite custom supervisor settings or apply changes automatically, but the command block does not foreground the risk of configuration changes, service reinstallations, or state modification. In an agent skill context, users may copy-paste these commands directly, making omission of impact warnings materially unsafe even if the commands are legitimate admin operations.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The dev reset example explicitly wipes config, credentials, sessions, and workspace state, but the danger is not stated inline with the command. Because this skill is designed for troubleshooting and optimization, an automated or hurried operator could run it and irreversibly destroy local state, credentials, or user data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The template explicitly instructs users to record sensitive infrastructure details such as SSH targets, internal IPs, Tailscale IPs, hostnames, ports, config paths, and log locations. While operationally useful, centralizing this data in a routinely loaded profile increases exposure if the workspace is shared, synced, exfiltrated, or read by other agents without strict need-to-know controls.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The template includes authentication-related fields such as auth mode and gateway token context, which can normalize storing credential material alongside operational notes. Even though the example says first 12 chars, the absence of a strong prohibition against full secrets creates a realistic risk that users will paste real tokens or other credentials into persistent markdown files.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal