Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Secucheck
v2.8.0Comprehensive security audit for OpenClaw. Scans 7 domains (runtime, channels, agents, cron, skills, sessions, network), supports 3 expertise levels, context-aware analysis, and visual dashboard. Read-only with localized reports.
⭐ 4· 3.1k·2 current·3 all-time
byJoonyoung Park@jooneyp
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description claim a read-only security auditor — that aligns with the included checks and dashboard. However the SKILL.md and scripts clearly read local OpenClaw config and runtime state (e.g. ~/.openclaw, network interfaces), yet the registry metadata declares no required config paths or credentials. Also _meta.json version (2.7.0) inside the package does not match registry metadata (2.8.0). These mismatches reduce traceability and make it harder to confirm the skill's provenance.
Instruction Scope
Agent instructions run a packaged full_audit.sh and then serve a dashboard using serve_dashboard.sh. The SKILL.md explicitly instructs using the LAN-accessible `url` (not localhost) when reporting the dashboard. That encourages exposing an HTML report to the local network. The SKILL.md also declares auto-trigger conditions (on skill install / agent/crons changes). Prompt-injection patterns were detected inside SKILL.md, indicating the skill text may contain phrases meant to override or manipulate the agent's normal instruction handling. All of this expands the runtime scope beyond a simple, passive audit.
Install Mechanism
No external install/download steps — scripts and templates are bundled with the skill. No network-install URLs or extract operations in the manifest were found. That reduces supply-chain risk compared with remote downloads.
Credentials
The skill declares no required env vars or config paths, but its checks and scripts are explicitly intended to read OpenClaw configuration, session directories, network interfaces, and credential locations (e.g. ~/.openclaw paths referenced in the documentation). That is a mismatch: the skill will access potentially sensitive local files without having them declared in metadata. The README/checks also suggest reading tokens and credential files for permission checks, which is reasonable for an auditor but should be explicit in metadata and user consent.
Persistence & Privilege
The package metadata does not request always:true and doesn't declare persistent system changes; the skill claims 'read-only' and 'never modifies configuration automatically'. However SKILL.md instructs auto-triggering on events (skill install, agent changes, cron changes) and to automatically start a local server and report a LAN IP. Autonomous invocation is allowed (default) — combined with the auto-trigger behavior and LAN-serving dashboard, this increases the practical blast radius if misused. No direct evidence of modifying other skills or system-wide settings was found.
Scan Findings in Context
[prompt-injection:ignore-previous-instructions] unexpected: Detected in SKILL.md content. Prompt-injection language can be used to try to override agent instruction flow; not expected as part of a benign audit skill's agent-facing instructions.
[prompt-injection:you-are-now] unexpected: Detected in SKILL.md content. Phrases that attempt to reassign agent identity or override prior instructions are a red flag for manipulation attempts and should be reviewed.
What to consider before installing
What to check before installing or running secucheck:
1) Inspect scripts before execution — open scripts/full_audit.sh, serve_dashboard.sh, and all gather_*.sh to verify they only run read-only commands (ip/ss/netstat, reading ~/.openclaw config, etc.). Look specifically for network download commands (curl/wget), encoded payloads (base64, xxd), or destructive commands (rm -rf, dd, mkfs).
2) Confirm the dashboard binding behavior — examine serve_dashboard.sh to see which address it binds to (localhost vs 0.0.0.0 vs specific LAN IP) and which port it uses. If it binds to non-localhost, consider changing it to localhost or running it inside an isolated container/VM.
3) Review SKILL.md prompt text for the injection phrases flagged; remove or sanitize any language that could be interpreted by the agent as instruction overrides. Treat any embedded 'you are now' / 'ignore previous' style phrases as suspicious.
4) Run the skill in an isolated environment first (container or throwaway VM) and with no elevated privileges. Do not run it as root; the checks themselves warn of high risk when OpenClaw runs as root. Prefer a non-root account with read-only access to the OpenClaw config copy.
5) Verify provenance and metadata — the package has no homepage and source is unknown; confirm the author and repository, and resolve the internal version mismatch before trusting it in production.
6) If you want the report accessible remotely, explicitly consent and secure it (HTTPS, auth, or Tailscale). Avoid automatically advertising a LAN URL to users/devices that shouldn't access it.
If you are unsure, mark this skill as untrusted until a manual code review is completed or ask the author for a signed release/source repository. Running audits is reasonable, but the mismatches and prompt-injection indicators mean you should not run this skill unattended on sensitive systems.Like a lobster shell, security has layers — review code before you run it.
latestvk97996aemjqa5146kfj2tv1xyn80r1wa
License
MIT-0
Free to use, modify, and redistribute. No attribution required.