Back to skill

Security audit

Secucheck

Security checks across malware telemetry and agentic risk

Overview

The skill is a plausible OpenClaw security-audit tool, but it under-discloses high-impact side effects like auto-running scans and exposing a generated security report on the local network.

Install only if you want an active OpenClaw security-audit tool with shell execution and broad local inspection. Review or disable the auto-review and dashboard behavior before use, prefer localhost-only serving, avoid running it with sudo/root privileges, and treat generated reports as sensitive because they can include host, network, permissions, and agent/workspace details.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (33)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill advertises a read-only audit but its documented behavior includes shell execution and network activity without any declared permissions boundary. That mismatch can cause the host agent to run commands and expose services in ways users or policy engines did not expect, increasing the chance of over-privileged execution.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
This is a substantial description-behavior mismatch: the skill claims to be comprehensive and read-only, yet it writes files, starts a background HTTP server, may kill existing processes, and exposes a dashboard over the network. Such hidden side effects can disrupt unrelated services and unintentionally publish sensitive audit results to the LAN.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
Automatically starting a web server and opening a dashboard contradicts the read-only claim because it changes system state and creates a new access surface. If the report contains host, network, or permission details, exposing it through a browser-accessible endpoint can leak sensitive configuration data.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script invokes privileged firewall inspection via sudo even though the skill is described as a read-only localized audit. While the commands are observational, triggering sudo can prompt for elevation or rely on cached credentials, expanding the skill's effective privilege boundary and violating user expectations about non-privileged execution.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The firewall status logic depends on elevated privilege without clear necessity for the stated audit scope. Even if used only for inspection, embedding sudo in a routine audit script normalizes privilege escalation and can cause the skill to execute with broader access than users expect.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The script launches `python3 -m http.server` bound to `0.0.0.0`, making the generated security audit report reachable from any network interface rather than only the local machine. Because the report is stored in a workspace directory and may contain sensitive host or audit details, exposing it over the network contradicts the skill's 'read-only/localized report' framing and increases the chance of unintended disclosure.

Context-Inappropriate Capability

Low
Confidence
79% confidence
Finding
The script enumerates local interface addresses using `hostname`, `ip`, and `ifconfig` to derive a LAN-reachable URL. While not directly exploitative, this gathers and surfaces host network information that is not necessary for a strictly local dashboard workflow, and it supports the broader risky behavior of exposing the report over the network.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The code comments and surrounding UX imply a local dashboard, but the server is actually bound to all interfaces with `--bind 0.0.0.0`. This mismatch is dangerous because operators may assume the report is only locally visible when it is in fact exposed to other hosts on the network.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The manifest advertises the skill as performing read-only audits, but it requests both command execution and cron capabilities. That mismatch is dangerous because users and reviewers may trust the skill as non-invasive while it can execute system commands immediately and potentially persist scheduled activity, expanding the blast radius well beyond passive inspection.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The declared exec capability is powerful and is not clearly justified by the description of a localized read-only security audit skill. In this context, exec enables arbitrary shell or tool invocation, which can be abused for unauthorized system inspection, tampering, privilege escalation attempts, or data exfiltration if the skill is triggered unexpectedly.

Context-Inappropriate Capability

Low
Confidence
78% confidence
Finding
Cron access is inconsistent with a simple localized read-only audit because it introduces persistence and deferred execution. Even without direct write claims in the manifest, scheduled capabilities can be used to rerun scans, invoke other privileged actions later, or create user-surprising behavior that outlives the original request.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The template directs the agent to launch a local dashboard process after generating a report, which exceeds a read-only reporting role and introduces side effects from a markdown template. Even if the script is local, embedding execution behavior in report content can cause unintended process spawning, broaden the skill's effective permissions, and create a path for abuse if the referenced script is modified or replaced.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Including a shell command in a report template creates an execution sink in content that should only format output. This is dangerous because downstream agents may treat template instructions as operational steps, causing command execution without a strong security justification or explicit user consent.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The skill is described as read-only and report-focused, but the template later instructs running a script and suggests applying fixes, creating a mismatch between declared and actual behavior. This can mislead users and orchestrators into granting trust to a skill that may perform actions, increasing the risk of unauthorized changes or execution.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The template tells users they can say '고쳐줘' and that the system will perform safe fixes, which contradicts the skill's declared read-only behavior. This can mislead users and downstream orchestrators into attempting unauthorized remediation actions or trusting the skill with capabilities it should not have.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The critical-issues example explicitly says the system can fix problems now and modify settings safely, despite the manifest stating the skill is read-only. This creates a capability mismatch that can cause unsafe operator assumptions, prompt unintended privileged workflows, or mask the boundary between auditing and change execution.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The quick action guidance trains users that '고쳐줘' starts a remediation flow, directly conflicting with the declared read-only scope. Even without actual write capability, this is dangerous because it conditions users and potentially connected agents to expect and authorize state-changing behavior from an audit-only component.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The README advertises multiple broad natural-language trigger phrases such as 'security audit', 'run security check', and 'audit my setup'. Generic phrases increase the chance the skill is invoked unintentionally during ordinary conversation, which is especially relevant because the skill is configured to run automatic reviews on installs and configuration changes. While the skill is described as read-only, unintended invocation could still expose sensitive environment details in reports or create noisy, confusing security assessments.

Vague Triggers

Medium
Confidence
80% confidence
Finding
Very broad trigger phrases can cause the skill to run when the user did not intend a security audit, especially in conversational contexts. Because this skill executes shell scripts and may start a dashboard server, accidental invocation can lead to unnecessary system inspection and network exposure.

Vague Triggers

High
Confidence
94% confidence
Finding
The auto-trigger policy is overly broad because it activates during skill installs, agent changes, and cron modifications without a clear consent boundary. In a system that executes shell commands and may expose a dashboard, this can cause repeated unsolicited scans, file writes, and service exposure during normal administration workflows.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Auto-opening a dashboard and preferring a LAN URL without a prominent warning can expose sensitive audit data to other devices on the local network. Users may assume the report is local-only, while the instructions actively encourage sharing a network-reachable endpoint.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The firewall checks perform privileged commands without any explicit warning or consent flow. In a skill marketed as read-only and localized, hidden privilege escalation attempts are risky because they can surprise users, trigger authentication prompts, or succeed under cached/root contexts and broaden access unexpectedly.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script automatically invokes multiple helper scripts and runs `openclaw security audit --deep`, which the comments describe as a live gateway probe, without any in-script confirmation or warning. In a security-audit skill advertised as read-only, silent active probing can surprise users, touch network-reachable services, and violate expected consent boundaries.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script enumerates and prints detailed agent and workspace configuration data, including model settings, workspaces, tool lists, subagents, session counts, permissions, and previews of SOUL.md content. In a read-only audit skill this may be expected behavior, but emitting this data wholesale without minimization, consent signaling, or output redaction can leak sensitive local configuration and prompt content to downstream consumers, logs, or less-trusted users.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The script collects sensitive environment details such as external IP, privilege state, containerization status, current user, and filesystem permissions, then embeds them into an HTML file on disk. If that file is stored in a shared workspace, synced directory, or served/opened in an unsafe context, it can expose useful reconnaissance data to other local users or downstream tooling.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal, suspicious.prompt_injection_instructions

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scenarios/credential-exposure.md:44

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
scenarios/prompt-injection.md:65