雷神之影 Mjolnir Shadow

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real OpenClaw backup and recovery skill, but its automatic recovery paths can overwrite live data, install system software, restore executable skills, and restart OpenClaw with limited safety checks.

Review before installing. Use it only if you trust the publisher, your WebDAV server, and the backup archives. Prefer manual restore first, back up the current ~/.openclaw directory before running --auto or restore-kit, inspect archive contents before restoring skills or strategies, avoid passing GPG passphrases through environment variables where possible, and do not run the bare-metal restore kit unless you accept package installation, global npm installs, and OpenClaw service start/restart.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import

Findings (19)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: print("⚠️ No passphrase set. Config stored unencrypted. / 未设密码，配置未加密。") return False result = subprocess.run( ["gpg", "--quiet", "--batch", "--yes", "--symmetric", "--cipher-algo", "AES256", "--passphrase", passphrase,
Confidence: 95% confidence
Finding: result = subprocess.run( ["gpg", "--quiet", "--batch", "--yes", "--symmetric", "--cipher-algo", "AES256", "--passphrase", passphrase, "--output", str(encrypted_f

subprocess module call

Medium

Category: Dangerous Code Execution
Content: if encrypted_file.exists(): print("🔒 Encrypted config found. Decrypting... / 发现加密配置，正在解密...") passphrase = ask("Enter passphrase / 输入密码") result = subprocess.run( ["gpg", "--quiet", "--batch", "--yes", "--passphrase", passphrase, "--decrypt", str(encrypted_file)],
Confidence: 95% confidence
Finding: result = subprocess.run( ["gpg", "--quiet", "--batch", "--yes", "--passphrase", passphrase, "--decrypt", str(encrypted_file)], capture_output=

Lp3

Medium

Category: MCP Least Privilege
Confidence: 95% confidence
Finding: The skill advertises and documents significant capabilities including shell execution, local file read/write, and network upload/download, but does not declare permissions. This weakens platform trust boundaries and informed consent because users and policy engines cannot easily assess the real access level before use.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 97% confidence
Finding: The manifest frames the skill as a backup utility, but the README also describes restore, bare-metal recovery, package installation, external downloads, npm installation, and service restart behavior. This mismatch is dangerous because users may invoke a seemingly low-risk backup skill that can instead modify the host, fetch remote code, and restart critical services.

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The script claims credentials are never exposed in process listings, but when MJOLNIR_SHADOW_PASS is set it invokes gpg with --passphrase on the command line. On many systems, command-line arguments are visible to other local users via ps, /proc, audit logs, or shell history wrappers, which can leak the decryption secret for the backup config.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The script claims to be a backup restore kit but also performs broad host bootstrap actions such as installing dependencies, Node.js, and OpenClaw. That materially expands its capability from data recovery into system provisioning, increasing the chance of unauthorized software changes and supply-chain exposure on the target host.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The restore flow deploys skills and trading strategies in addition to workspace backup data, which can reintroduce executable or behavior-changing content onto the host. Restoring active code artifacts from backup without validation increases the risk of persistence, unsafe automation, and reactivation of previously compromised components.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: Automatically starting or restarting OpenClaw after restore turns a data recovery action into service activation. If the restored state contains unsafe configs, skills, or compromised artifacts, the script immediately operationalizes them without giving the user a review checkpoint.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The script automatically installs Node.js and OpenClaw, including piping a remote setup script into a privileged shell and downloading binaries for extraction into /usr/local. For a backup tool, this is unnecessary privilege expansion and creates supply-chain and unauthorized software installation risk.

Context-Inappropriate Capability

High

Confidence: 95% confidence
Finding: The script provisions system packages with apt or brew as part of a restore workflow, changing the host state beyond what is needed for backup recovery. This broadens the blast radius of the tool and can introduce unexpected packages, privileged actions, and platform-specific breakage.

Context-Inappropriate Capability

Medium

Confidence: 84% confidence
Finding: The script automatically runs 'openclaw gateway restart' after a restore with no confirmation or dry-run step. Restarting a service changes system state beyond simple file recovery and could unexpectedly activate restored configs, skills, or workflows immediately, increasing the blast radius of a bad or tampered backup.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The README strongly promotes one-click restore and shows it restoring files into `~/.openclaw/workspace`, `~/.openclaw`, and `~/.openclaw/workspace/skills/`, but it does not clearly warn that this process may overwrite existing local data. Users may run recovery on a machine with partially valid state and unintentionally destroy newer memories, configs, or skills, causing data loss and unsafe rollback.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The recovery-kit documentation advertises fully automatic setup on fresh systems, including installing WSL2, Ubuntu, Node.js, and OpenClaw, but does not clearly warn that these scripts will modify the host environment and may require elevated privileges, reboots, package installs, and system configuration changes. This increases the chance that users execute powerful bootstrap scripts without informed consent, which is especially risky in a security-sensitive backup/restore context.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The description includes broad trigger phrases such as backup, data safety, disaster recovery, workspace protection, and system backup in two languages. Overly broad triggers increase the chance the skill is selected in unrelated contexts, causing sensitive file access, network transfer, or destructive restore actions when the user did not intend this tool.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The README promotes a one-click automatic restore that decrypts, downloads, restores all components, and restarts OpenClaw, but does not prominently warn about overwriting local files or service interruption. In a disaster-recovery context this can lead to accidental data loss, restoration of stale or malicious backups, and unplanned downtime.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: Archives are extracted directly into live user directories without an overwrite warning, dry run, or confirmation. This can silently replace local workspace files, configs, and code artifacts, causing data loss or activating stale or malicious content from the backup.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: Auto-restore downloads an archive from remote storage, extracts multiple nested tarballs directly into configured paths, and restarts the service without any explicit user approval. In the context of backups pulled from WebDAV, a compromised remote store or misconfiguration could cause destructive overwrite or deployment of attacker-controlled workspace/config content.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The script collects the encryption passphrase using visible terminal input and then forwards it to GPG on the command line. This can expose the secret both to shoulder-surfing/terminal logging and to local process inspection, undermining the protection of the encrypted config.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The script writes WebDAV credentials to backup-config.json before asking whether to encrypt it, so secrets are persisted in plaintext on disk by default during setup. If encryption later fails, is skipped, or the file is read by another local process or backup agent, remote backup credentials are exposed. In a backup skill, these credentials can grant access to sensitive archived workspace data, increasing impact.

VirusTotal

54/54 vendors flagged this skill as clean.

View on VirusTotal