ClawHub

DeadClaw

Security checks across malware telemetry and agentic risk

Overview

DeadClaw appears to be a real emergency stop tool, but it gives remote, easily triggered shutdown and restore authority without enough scoping or safeguards.

Install only if you control every channel that can send triggers to OpenClaw. Before enabling it, change the trigger words to a namespaced command, restrict authorized senders/channels, avoid storing Telegram bot tokens in phone shortcuts when possible, test with --dry-run, and review the restore/watchdog behavior in the exact copy that will run.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (43)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The kill switch is exposed through multiple remote-trigger channels, including arbitrary messaging platforms, web UI, and phone shortcuts, greatly expanding the attack surface for a destructive action. If authentication, authorization, or origin validation is weak or absent, an attacker or accidental sender could remotely halt agents, suspend jobs, and disrupt operations.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The guide tells users to place a Telegram bot token directly into Tasker/HTTP Shortcuts and a home-screen-triggerable workflow. That exposes a sensitive credential to third-party apps, device backups, screenshots, logs, and anyone with access to the phone, enabling unauthorized control of the bot and any connected automation.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
The script sends a message to a channel derived from TRIGGER_SOURCE without validating that the destination is expected or local-only. In a kill-switch context, outbound messaging broadens the blast radius: an attacker who can influence the trigger source or environment could cause data to be sent to an unintended channel or external system during incident handling.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The guide instructs users to place a Telegram bot token directly into Tasker/HTTP Shortcuts on a personal device, exposing a sensitive credential in client-side automation tooling. A bot token is effectively a secret with API authority over the bot, so leakage via screenshots, backups, app export/import, clipboard history, device compromise, or shared phone access could let an attacker send commands or abuse the bot well beyond the intended kill-switch use.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The documentation expands the mechanism from a narrowly scoped emergency stop into a generic pattern for sending the trigger over WhatsApp, Discord, Slack, or any other connected API channel. That broadening encourages reuse of the same unauthenticated or weakly authenticated kill-trigger concept across more integrations, increasing attack surface and making accidental or malicious remote shutdown more likely.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The guide instructs users to place a live Telegram bot token directly into an iPhone Shortcut URL, which is a credential-handling weakness because the secret becomes embedded in a client-side automation artifact that may be visible during editing, screenshots, backups, device sharing, or sync workflows. While this is not inherently malicious, it unnecessarily exposes a bot credential and broadens the attack surface beyond the stated kill-switch function.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The restore path performs broad state-changing actions: restoring crontab entries, enabling and starting user services, loading launch agents, restarting Docker containers, and attempting to start the gateway. In a skill marketed as an emergency kill switch, this materially expands capability from stopping agents to re-establishing persistence and execution, which can unexpectedly bring disabled automation back online.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The comments promise that the watchdog will not auto-start and frame recovery as cautious, but the implementation later auto-starts the OpenClaw gateway. This mismatch is dangerous because operators may rely on the documented safety guarantees while the script actually reactivates critical infrastructure automatically.

Vague Triggers

Medium
Confidence
96% confidence
Finding
Trigger keywords such as `kill`, `dead`, and `stop everything` are broad, common phrases that can easily appear in ordinary conversation or be replayed by untrusted participants in chat channels. In the context of an immediate destructive shutdown function, ambiguous natural-language triggers create a realistic risk of accidental or malicious invocation causing denial of service.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README emphasizes immediate shutdown behavior but does not prominently warn that invocation is destructive and can stop running agents, containers, and scheduled automation. In combination with one-tap and message-based activation, insufficient warning increases the likelihood of operator error and accidental service disruption.

Vague Triggers

High
Confidence
98% confidence
Finding
The trigger set is dangerously broad and includes common words like 'kill', 'dead', and 'status', which are likely to appear in normal conversation or unrelated support messages. Because activation causes destructive actions such as halting agents, stopping containers, and pausing cron jobs, accidental or malicious invocation becomes very plausible across any connected channel.

Vague Triggers

High
Confidence
96% confidence
Finding
The description says to use the skill whenever the user mentions broad shutdown-related phrases, which invites fuzzy matching and over-triggering by the hosting agent. In a multi-channel system, ambiguous intent detection around emergency language can lead to unintended global shutdowns or can be abused by an attacker who phrases messages to resemble distress commands.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
A skill that can kill processes, stop containers, pause scheduled jobs, and auto-trigger from a watchdog should prominently warn that it performs destructive system-wide actions. Without clear warnings, operators may install or enable it without understanding the blast radius, increasing the chance of accidental self-denial-of-service and unsafe deployment practices.

Vague Triggers

High
Confidence
97% confidence
Finding
This is a true vulnerability because the documented trigger phrases are extremely generic (for example, 'kill', 'dead', and 'stop everything') and are intended to fire from ordinary messaging channels. In a skill whose action is to terminate processes, pause scheduled jobs, and disrupt running sessions, accidental or malicious invocation from routine conversation becomes highly plausible and can cause immediate denial of service.

Vague Triggers

Medium
Confidence
95% confidence
Finding
Listening on all connected channels with no narrow activation context creates ambiguous trust boundaries and significantly increases the attack surface. Because the skill is explicitly designed to perform a global emergency shutdown, any unauthorized participant, compromised integration, spoofed message, or accidental mention in any connected channel could halt all agents and scheduled activity.

Vague Triggers

High
Confidence
98% confidence
Finding
The skill advertises highly generic activation phrases for a destructive action that halts agents and pauses jobs. Because the trigger surface includes any connected channel, ordinary conversation or unrelated messages can unintentionally invoke the kill path, creating a denial-of-service condition across the OpenClaw environment.

Vague Triggers

High
Confidence
99% confidence
Finding
Single-word triggers like `kill`, `dead`, and even emoji are extremely ambiguous and can easily appear in normal chat, status discussions, or quoted text. In this skill, those triggers map directly to an emergency stop capability, so accidental or malicious message injection from any connected channel could immediately terminate running processes and disrupt scheduled operations.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation describes message-based activation from any connected channel but does not prominently warn that a simple message can immediately halt all agents and pause cron jobs. This missing warning increases the likelihood of unsafe deployment, user misunderstanding, and accidental activation in high-traffic or shared channels, amplifying the operational risk of the kill switch.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The document explicitly shows where to obtain and insert a Telegram bot token but gives no warning that the token is a secret equivalent to a password for the bot. Users may paste it into insecure apps or share screenshots, leading to credential theft and unauthorized kill-switch triggering or bot misuse.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
This guide creates a one-tap emergency action that can halt all agents instantly, but it does not warn about accidental activation, misuse by anyone with device access, or the operational disruption that can result. In a kill-switch context, easy triggering without safeguards increases the chance of unintended denial of service.

Vague Triggers

High
Confidence
97% confidence
Finding
Using a generic trigger like "kill" on any connected chat channel creates a real risk of accidental or malicious activation through ordinary conversation, quoted text, forwarded messages, or cross-channel noise. In the context of this skill, activation immediately stops agents, sessions, and scheduled jobs, so the trigger design materially increases the chance of an unauthorized denial-of-service event.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The listing repeatedly promotes instant destructive actions but does not present a prominent up-front warning about operational consequences such as terminating active work, clearing or pausing cron jobs, and killing sessions. In a safety-critical kill-switch skill, insufficient warning increases the likelihood of operator error and unintended service disruption, especially for non-technical users encouraged to use one-tap activation.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The guide explicitly tells users to place a live Telegram bot token directly into an iPhone Shortcut URL, which creates a credential-handling risk without any warning about exposure through screenshots, backup/sync, device sharing, shortcut export, or shoulder-surfing. Because that token authorizes bot API calls, disclosure could let an attacker send commands as the bot and potentially trigger the kill switch or other bot-connected actions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The document encourages a one-tap destructive action from the home screen and even the lock screen, but does not warn about accidental activation, unauthorized use by anyone with physical access, or the operational impact of instantly halting agents. In this skill's context, the action is intentionally disruptive, so reducing friction without safeguards materially increases the chance of unintended denial-of-service.

Vague Triggers

High
Confidence
94% confidence
Finding
Using a generic message trigger like "kill" across connected chat platforms creates a high risk of accidental or unauthorized activation from ordinary conversation, forwarded messages, or messages sent from an untrusted device. In the context of a kill switch that halts agents and pauses jobs, a single ambiguous word can remotely cause denial of service across the environment.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal