Back to skill

Security audit

Don't Be Scary

Security checks across malware telemetry and agentic risk

Overview

This looks like a real OpenClaw update/rescue skill, but it gives agents broad update, restart, deletion, background execution, and Telegram credential-handling authority without enough user control.

Install only if you trust this publisher with OpenClaw maintenance authority. Before use, confirm the exact files it may delete or replace, require approval before any rescue or reinstall step, and avoid letting the agent read raw Telegram bot tokens unless you are comfortable with that credential exposure.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill clearly instructs the agent to execute shell commands, but the metadata does not declare corresponding permissions. This creates a trust and review gap: an operator may approve or install the skill without understanding that it launches a background updater, reads local config, modifies installed software, and restarts services.

Vague Triggers

Medium
Confidence
76% confidence
Finding
The trigger examples include the broad phrase "actualízate," which is not specific to OpenClaw and could be interpreted as a general request to update. Ambiguous invocation increases the chance the skill runs unexpectedly, causing software modification, gateway restart, and background execution when the user may have intended something else.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The prompt instructs a rescue agent to perform destructive actions, including deleting installed application directories and reinstalling software, without requiring an explicit user confirmation step immediately before those actions. In an agentic setting, this increases the risk of accidental data loss, incorrect restoration from an untrusted snapshot, or service disruption if diagnosis is wrong.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The prompt directs the agent to read a Telegram bot token from the user's config and use it to send a message, but it provides no privacy warning, consent check, or constraint on how the credential is handled. This exposes a sensitive secret to an agent workflow and creates risk of unauthorized outbound communication or credential misuse if the agent is compromised or behaves unexpectedly.

Ssd 3

Medium
Confidence
97% confidence
Finding
These lines explicitly tell the agent to retrieve messaging credentials from a local config file and use them to contact the user. That is a direct secret-handling and exfiltration risk: once an agent can read and act on bot tokens, it can potentially send arbitrary messages, pivot to other chats, or leak the token itself.

Session Persistence

Medium
Category
Rogue Agent
Content
Launch the script **detached** so it survives the gateway restart:

```bash
nohup "<path-to-skill>/scripts/safe-update.sh" </dev/null >/dev/null 2>&1 & disown
```

Then tell the user: "Update launched in background. You'll get Telegram updates at each step." Do not wait for the script to finish — the gateway restart will likely terminate the current agent session. The user is the source of truth via Telegram.
Confidence
90% confidence
Finding
nohup

Session Persistence

Medium
Category
Rogue Agent
Content
Launch the script **detached** so it survives the gateway restart:

```bash
nohup "<path-to-skill>/scripts/safe-update.sh" </dev/null >/dev/null 2>&1 & disown
```

Then tell the user: "Update launched in background. You'll get Telegram updates at each step." Do not wait for the script to finish — the gateway restart will likely terminate the current agent session. The user is the source of truth via Telegram.
Confidence
90% confidence
Finding
disown

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.