OpenClaw Cloudflare Secure

Security checks across malware telemetry and agentic risk

Overview

This skill performs powerful but disclosed Cloudflare Tunnel and DNS setup actions for its stated OpenClaw WebUI purpose.

Install this only on the VPS and Cloudflare zone you intend to manage. Use a zone-scoped Cloudflare API token, back up or inspect existing DNS records before cutover, verify the cloudflared package source if possible, and confirm the Cloudflare Access allowlist before relying on the public hostname.

SkillSpector

By NVIDIA

Vulnerability Patterns

Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (4)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 95% confidence
Finding: The skill invokes shell commands, uses environment-provided credentials, and performs network/system operations, but it does not declare those permissions. That creates a trust and review gap: an agent or user may approve the skill without understanding it can modify DNS, install software, and manage services with elevated privileges.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 93% confidence
Finding: The skill is described as a secure OpenClaw exposure workflow, but the documented behavior includes broader and more privileged actions such as software installation, persistent service setup, and generic DNS management. This mismatch is dangerous because users may authorize a narrowly described skill that can actually make wider infrastructure changes, increasing the chance of unintended exposure or persistence.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The DNS cutover step explicitly deletes any existing A/AAAA/CNAME records for the hostname before creating the tunnel record, but it does not provide a strong warning or confirmation step about service disruption. If run against an in-use hostname, it can immediately break production routing, email-related subservices, or other dependencies tied to that name.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The script silently downloads a package from a moving 'latest' release URL and installs it with root privileges, without any integrity verification, pinning, or user confirmation. In a security-sensitive setup skill, this creates a real supply-chain risk: if the download source, release artifact, or network path is compromised, arbitrary code could be installed as root.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal