ClawHub

Openclaw Safety Guard

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real OpenClaw health monitor, but it creates recurring execution, sends local security summaries to Feishu, and applies a local permission change without separate approval steps.

Install only if you are comfortable with a recurring weekday local scan that reads OpenClaw workspace state, stores local history, sends summaries to a bound Feishu open_id, runs Node build tooling, and automatically chmods the Gateway LaunchAgent plist. Use least-privileged Feishu credentials, avoid putting those credentials in workspace .env, and confirm how to disable the cron job and automatic GREEN fixes before enabling it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (19)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
sys.exit(1)

    print("Frontend deps missing, running npm install...")
    result = subprocess.run(
        [npm_bin, "install"],
        cwd=FRONTEND_DIR,
        capture_output=True,
Confidence
87% confidence
Finding
result = subprocess.run( [npm_bin, "install"], cwd=FRONTEND_DIR, capture_output=True, text=True, timeout=300, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if not npm_bin:
        print("npm is required to build the dashboard frontend.", file=sys.stderr)
        sys.exit(1)
    result = subprocess.run(
        [npm_bin, "exec", "--", "vite", "build"],
        cwd=FRONTEND_DIR,
        capture_output=True,
Confidence
74% confidence
Finding
result = subprocess.run( [npm_bin, "exec", "--", "vite", "build"], cwd=FRONTEND_DIR, capture_output=True, text=True, timeout=180, )

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill declares no explicit permissions while its documented behavior clearly requires environment access, file read/write, shell execution, scheduling, and network communication to Feishu. This under-declaration is dangerous because users and platform policy checks cannot accurately assess the real access the skill will use, increasing the chance of silent data exposure or unintended system modification.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The stated purpose is health scanning and reporting, but the documented behavior also includes persistent installation changes, immediate execution after install, log/history retention, optional external sharing, and automatic repair actions. That mismatch is dangerous because users may consent to passive scanning without realizing the skill can alter local configuration, create persistence, retain potentially sensitive telemetry, and transmit results externally.

Context-Inappropriate Capability

Low
Confidence
89% confidence
Finding
The stylesheet imports fonts from Google Fonts, causing client browsers to make third-party network requests whenever the UI is loaded. In a safety/reporting skill, this is unnecessary external data flow that can leak user metadata such as IP address, user agent, timing, and referrer context, and it also introduces a supply-chain/privacy dependency on an external service.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
The script's stated role is dashboard generation, but it also performs package management by automatically installing frontend dependencies. That materially broadens the script's power and introduces supply-chain and arbitrary code-execution risk that is not strictly necessary for producing a report dashboard.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The helper explicitly reads Feishu credentials from the workspace .env file when they are absent from the process environment, which broadens the skill's access to local secret material beyond its stated purpose. Even though it only selects named variables, this still creates a credential-discovery path from repository-local files and makes secret use less visible and harder to govern.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The module docstring states credentials come from inherited environment variables, but the implementation also searches the workspace .env file. This mismatch is security-relevant because reviewers and operators may believe the script cannot read repository-local secrets when in fact it can, undermining trust and secret-handling assumptions.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The pipeline silently executes fix_green.py after reporting, even though the skill description presents the feature as a scanner/reporting tool. This creates an unexpected write-capable remediation path that can modify files or system state without explicit user consent, increasing the blast radius if the fix logic is flawed, overbroad, or compromised.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The comment asserts that only safe, non-business-logic auto-fixes are applied, but the code does not enforce any such limitation before running fix_green.py. Security-relevant behavior is delegated entirely to another script without policy checks, so users may trust guarantees that are not technically validated at this execution point.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The setup script searches upward for and modifies the host-level `.openclaw/state/cron/jobs.json`, then registers a persistent scheduled agent task. This creates durable execution beyond the current session and broadens the skill's control over the host environment, which is sensitive because the manifest frames the feature as health scanning/reporting rather than direct orchestration of global scheduler state.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README advertises automatic generation of local dashboard/JSON logs and Feishu reports but does not clearly disclose what data may be collected, retained locally, or transmitted externally. For a monitoring skill that scans security, memory, shared files, and communications state, this omission can lead users to enable continuous reporting without informed consent, increasing the risk of sensitive metadata or findings being exposed.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README instructs users to place FEISHU_APP_ID and FEISHU_APP_SECRET in Gateway environment variables for outbound messaging, but it does not warn that these are sensitive credentials or describe how they are protected from logging, dashboard output, or accidental disclosure. In a skill centered on automated scanning and reporting, weak guidance around messaging secrets materially increases the chance of credential mishandling.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README documents automatic weekday scanning and report delivery without an explicit warning that this is recurring collection and transmission of workspace status information. Because the scans cover multiple operational and security dimensions and produce archived snapshots, unattended execution can continuously accumulate and send sensitive operational context unless users are clearly informed and given controls.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The manual triggers are ordinary conversational phrases such as '体检' and '跑一遍安全检查', which can plausibly appear in normal chat and unintentionally invoke a full scan. Because this skill performs filesystem inspection, reporting, and notification, accidental activation can cause unnecessary data processing and outbound disclosure of scan summaries.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill asks for Feishu credentials and describes reporting, but it does not prominently warn that scan results are sent via private Feishu messages to a bound open_id. In a security-scanning context, reports may contain sensitive configuration or health details, so insufficient disclosure raises the risk of users unknowingly enabling outbound transmission of internal information.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The post-install flow automatically writes configuration, registers a cron job, and immediately performs a full scan that sends a report within seconds, without a strong upfront warning or consent checkpoint. Automatic state changes plus immediate execution are risky because installation alone causes persistence and outbound activity before the user can review scope, retention, or recipients.

Credential Access

High
Category
Privilege Escalation
Content
def load_env_fallback(var_names: list[str]) -> dict[str, str]:
    """Load selected vars from workspace .env when current process env is missing them."""
    env_path = Path(get_workspace_root()) / ".env"
    if not env_path.exists():
        return {}
Confidence
98% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
def load_env_fallback(var_names: list[str]) -> dict[str, str]:
    """Load selected vars from workspace .env when current process env is missing them."""
    env_path = Path(get_workspace_root()) / ".env"
    if not env_path.exists():
        return {}
Confidence
98% confidence
Finding
.env"

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal