Back to skill

Security audit

Fortress Agent Suite

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed high-privilege maintenance skill, but it needs review because it can persist as a scheduled root task, change system and workspace state, send Telegram notifications, and install other skills automatically.

Install only on a dedicated OpenClaw host you own and trust. Before enabling it, review or disable self_improver.py, Telegram notifications, cron self-enforcement, broad Git auto-commits, log deletion, and cache dropping; verify that backups and commits will not preserve secrets; and document how to remove the cron jobs and roll back configuration changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (26)

os.system() or os exec-family call

High
Category
Dangerous Code Execution
Content
cfg[k.strip()] = v.strip()
    token, chat_id = cfg.get('BOT_TOKEN'), cfg.get('CHAT_ID')
    if token and chat_id:
        os.system(f"curl -s 'https://api.telegram.org/bot{token}/sendMessage?chat_id={chat_id}&text={urllib.parse.quote_plus(msg)}' > /dev/null")

def check():
    try:
Confidence
95% confidence
Finding
os.system(f"curl -s 'https://api.telegram.org/bot{token}/sendMessage?chat_id={chat_id}&text={urllib.parse.quote_plus(msg)}' > /dev/null")

os.system() or os exec-family call

High
Category
Dangerous Code Execution
Content
token = config.get('BOT_TOKEN')
    chat_id = config.get('CHAT_ID')
    if token and chat_id:
        os.system(f"curl -s 'https://api.telegram.org/bot{token}/sendMessage?chat_id={chat_id}&text={urllib.parse.quote_plus(msg)}' > /dev/null")


def append_memory(message):
Confidence
98% confidence
Finding
os.system(f"curl -s 'https://api.telegram.org/bot{token}/sendMessage?chat_id={chat_id}&text={urllib.parse.quote_plus(msg)}' > /dev/null")

os.system() or os exec-family call

High
Category
Dangerous Code Execution
Content
def install_skill(slug):
    log(f"Installing {slug}")
    result = os.popen(f"openclaw skills install {slug} 2>&1").read()
    if 'error' in result.lower() or 'failed' in result.lower():
        log(f"Install failed {slug}: {result[:200]}", level='error')
        return False, result
Confidence
99% confidence
Finding
result = os.popen(f"openclaw skills install {slug} 2>&1").read()

os.system() or os exec-family call

High
Category
Dangerous Code Execution
Content
# Disk space check (thấp hơn 500MB thì dọn log)
    total, used, free = shutil.disk_usage("/")
    if free < 500 * 1024 * 1024:
        os.system('find /root/.openclaw/logs -name "*.log" -mtime +7 -delete')

    # Memory check (nếu swap đầy thì dọn rác)
    if psutil.swap_memory().percent > 90:
Confidence
93% confidence
Finding
os.system('find /root/.openclaw/logs -name "*.log" -mtime +7 -delete')

os.system() or os exec-family call

High
Category
Dangerous Code Execution
Content
# Memory check (nếu swap đầy thì dọn rác)
    if psutil.swap_memory().percent > 90:
        os.system('sync; echo 3 > /proc/sys/vm/drop_caches')

if __name__ == "__main__": check_system()
Confidence
97% confidence
Finding
os.system('sync; echo 3 > /proc/sys/vm/drop_caches')

os.system() or os exec-family call

High
Category
Dangerous Code Execution
Content
status = subprocess.check_output(['git', '-C', str(WORKSPACE), 'status', '--porcelain']).decode()
        if status:
            # If there are uncommitted changes, auto-commit them (backup mode) / Nếu có thay đổi chưa commit, tự động commit (backup kiểu git)
            os.system(f"git -C {WORKSPACE} add . && git -C {WORKSPACE} commit -m 'Auto-backup: {os.popen('date').read().strip()}'")

    # Kiểm tra crontab
    cron = subprocess.check_output(['crontab', '-l']).decode()
Confidence
90% confidence
Finding
os.system(f"git -C {WORKSPACE} add . && git -C {WORKSPACE} commit -m 'Auto-backup: {os.popen('date').read().strip()}'")

os.system() or os exec-family call

High
Category
Dangerous Code Execution
Content
required = ["backup.py", "health_check.py", "system_watchdog.py"]
    for r in required:
        if r not in cron:
            os.system(f"crontab -l | {{ cat; echo '*/30 * * * * /root/.openclaw/.venv/bin/python /root/.openclaw/scripts/self-healing/{r}'; }} | crontab -")

if __name__ == "__main__": check_integrity()
Confidence
99% confidence
Finding
os.system(f"crontab -l | {{ cat; echo '*/30 * * * * /root/.openclaw/.venv/bin/python /root/.openclaw/scripts/self-healing/{r}'; }} | crontab -")

os.system() or os exec-family call

High
Category
Dangerous Code Execution
Content
status = subprocess.check_output(['git', '-C', str(WORKSPACE), 'status', '--porcelain']).decode()
        if status:
            # If there are uncommitted changes, auto-commit them (backup mode) / Nếu có thay đổi chưa commit, tự động commit (backup kiểu git)
            os.system(f"git -C {WORKSPACE} add . && git -C {WORKSPACE} commit -m 'Auto-backup: {os.popen('date').read().strip()}'")

    # Kiểm tra crontab
    cron = subprocess.check_output(['crontab', '-l']).decode()
Confidence
90% confidence
Finding
os.system(f"git -C {WORKSPACE} add . && git -C {WORKSPACE} commit -m 'Auto-backup: {os.popen('date').read().strip()}'")

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
This code autonomously fetches skill metadata from an external API and later installs skills with no interactive approval, provenance verification, or meaningful content review. The only gate is a trivial keyword scan and optional GitHub stars check, which is easily bypassed and does not establish trustworthiness, making this an unsafe self-modifying/self-extending mechanism.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill reads local Telegram configuration containing bot credentials and uses it to send outbound messages, but there is no user disclosure, consent flow, or minimization of sensitive data handling. In this context, accessing local credential material from a self-improving installer increases the blast radius because the same component already performs remote network actions and shell execution.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The code presents a safety scan (`scan_content`) based on a small blacklist of dangerous keywords, yet the same script itself performs shell execution and external network operations that the scan is ostensibly trying to detect. This creates a false sense of safety and materially weakens trust in the installation decision, because malicious skills can evade simple substring checks while still being installed automatically.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The watchdog performs destructive cleanup and kernel cache manipulation based solely on resource thresholds, despite no demonstrated need from the skill context. In an agent skill, such host-level actions are especially dangerous because they affect the broader system, not just the skill's own data, and can hide evidence or destabilize the environment.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script does more than verify integrity: it installs cron-based persistence for multiple local scripts. That is a classic persistence mechanism and is especially suspicious because it is framed as a benign integrity check while altering the system to keep code running indefinitely.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The comment says the code is checking crontab, but the implementation actively modifies it. This mismatch is dangerous because it conceals system-altering behavior from reviewers and users, reducing the likelihood that persistence will be noticed or challenged.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The installation instructions tell the user to install a system crontab entry that will run persistently in the background, but they do not explain what will execute, how often it runs, what privileges it uses, or how to remove it. In a security-sensitive agent skill, asking users to establish silent persistent execution materially increases risk because it creates long-lived behavior outside normal user awareness and review.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script silently modifies a root-owned application config and immediately restarts the gateway, causing a persistent configuration change without any confirmation or disclosure. In an agent-skill context, this is more dangerous because it can alter runtime behavior and service routing behind the user's back, potentially redirecting model traffic or disrupting service availability.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script reads a secret API token from disk automatically and uses it to update provider configuration without notifying the user. In a skill setting, undisclosed secret access is risky because it normalizes covert credential use and could be extended to exfiltration or unauthorized service enrollment even though this specific file does not transmit the token anywhere except into local config.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The health check automatically performs recovery actions after any exception, with no confirmation, no visible audit controls, and broad exception handling. In this context, a transient error, PATH hijack, or intentionally induced failure could trigger restore.run_restore() unexpectedly, potentially causing disruptive or privileged system changes.

Missing User Warnings

Medium
Confidence
72% confidence
Finding
The script sends system availability information to Telegram, an external third party, without any in-code consent, disclosure, or minimization controls. Even though the transmitted message is short, it reveals operational status and recovery events, which can leak sensitive infrastructure telemetry if the config is enabled.

Missing User Warnings

Medium
Confidence
72% confidence
Finding
The script overwrites a live configuration file from the latest backup and immediately restarts the gateway with no confirmation, validation, integrity check, or rollback guard. In a self-healing context, this can cause denial of service, restore unsafe or attacker-tainted configuration, or unexpectedly revert security settings if the backup source is stale or compromised.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The Telegram notification path sends configuration-derived credentials and runtime-generated message content through a shell-invoked `curl` command with no user-facing notice. This is dangerous because secrets appear in the process command line and can be exposed to local process inspection/logging, while the shell invocation also introduces injection risk from config values.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script installs skills by executing a shell command without any confirmation, warning, or trust boundary enforcement. In context, this is especially dangerous because the component is explicitly designed to self-modify by adding new capabilities from external sources, so a bad candidate can lead directly to persistent compromise or expansion of agent privileges.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Automatic deletion of logs without warning or confirmation is risky because logs may contain audit trails needed for troubleshooting, incident response, or compliance. In this context, silent cleanup is more dangerous because the skill runs autonomously and targets root-owned paths, so users may lose visibility into what was removed and why.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Executing cache-dropping behavior without disclosure or operator approval can unexpectedly impact system performance and running services. Because this skill appears to run automatically on the host, the hidden nature of the action makes it more dangerous by preventing informed consent, troubleshooting, and safe coordination with other workloads.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Automatically committing all detected workspace changes without notice or confirmation undermines user control and can preserve malicious or sensitive content. In a security-sensitive agent workspace, silent commits make incident response and provenance tracking harder because unexpected changes are normalized and retained.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.