ClawHub

Openclaw Iflow Doctor

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real OpenClaw repair skill, but it can set up persistent watchdogs and create repair scripts that make high-impact system changes without strong approval safeguards.

Install only if you intentionally want an always-on OpenClaw auto-repair watchdog. Prefer manual or diagnosis-only use, avoid root/SYSTEM persistence unless necessary, review every generated .bat/.sh file before running it, back up OpenClaw config and memory data first, and do not paste raw API keys, settings files, or logs into support chats without redaction.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (43)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# Bug #4/#5 修复:使用 expanduser() 且不使用 Desktop 目录
            healer_script = Path.home().expanduser() / ".iflow" / "memory" / "openclaw" / "openclaw_memory.py"
            
            result = subprocess.run(
                ['python', str(healer_script), '--fix', error_msg, '--logs', error_logs],
                capture_output=True,
                text=True,
Confidence
90% confidence
Finding
result = subprocess.run( ['python', str(healer_script), '--fix', error_msg, '--logs', error_logs], capture_output=True, text=True,

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises extensive system capabilities including shell execution, file reads/writes, environment access, and network use, but does not declare corresponding permissions. This undermines user consent and platform enforcement because a repair skill can silently modify files, execute commands, or transmit data without a clear trust boundary.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The documented behavior goes well beyond diagnosis and repair into persistence installation, watchdog monitoring, process restarts, launcher/script generation, desktop file creation, and iFlow setup/login automation. This mismatch is dangerous because users may authorize a troubleshooting tool without realizing it can establish startup persistence, manipulate processes, or generate scripts that perform destructive system changes.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
The script requires root and installs a systemd unit into /etc/systemd/system, then enables and starts it. That is a privileged persistence and system-management action; while it may be legitimate for a daemon installer, it exceeds the minimally described 'auto-repair' purpose unless clearly disclosed and justified, making it security-relevant rather than a harmless implementation detail.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The installer performs persistent installation actions by copying files into the user's OpenClaw skills directory and creating helper scripts outside the immediate execution context. While this may be intended for convenience, it expands the skill's footprint and persistence beyond simple diagnosis/repair behavior, which increases risk if the source directory contents are tampered with or the user did not expect system modification.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code creates launcher scripts (heal.bat) in persistent user-controlled locations, including ~/.iflow/bin, effectively adding an OS-level execution entry point. This is dangerous because it increases the chance of unintended execution, path abuse, or long-lived persistence if the underlying Python file is later modified or replaced.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
The skill generates scripts that uninstall and globally reinstall software via npm, which is a broad and potentially destructive package-management action unrelated to narrow diagnosis. If a user runs the generated script, it can alter the system state, break environments, or install untrusted updated packages without adequate confirmation or validation.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The generated permission-fix scripts recursively grant broad access across the OpenClaw directory. Such permission changes can weaken local security boundaries, expose sensitive files, or mask underlying ownership problems rather than fixing them safely.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The file goes beyond monitoring by automatically invoking an external repair script with no trust check, approval gate, or confinement. In this skill context, auto-repair increases danger because crash conditions become a trigger for executing potentially attacker-modified code, making the watchdog a persistence or post-compromise execution mechanism.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The document provides operational commands that modify system state, install a persistent service, and terminate processes, but it does so without explicit safety warnings, rollback guidance, or confirmation requirements. In a skill context, users may copy-paste these commands directly, increasing the chance of unintended disruption or privileged changes on the host.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The documentation states the skill will activate automatically whenever OpenClaw errors occur, but it does not define clear scope, triggers, safeguards, or approval boundaries. In a repair skill that can generate scripts and change system state, ambiguous auto-activation increases the chance of unintended execution, privilege misuse, or repairs being applied to the wrong failure condition.

Missing User Warnings

High
Confidence
95% confidence
Finding
The feature list advertises dynamic tool generation, automatic cleanup, and iFlow-assisted repair, but gives no warning that these actions may create, execute, modify, or delete files and configuration. Users are encouraged to trust automatic repair without being informed of potentially destructive side effects, which is especially dangerous in an operational troubleshooting skill.

Missing User Warnings

High
Confidence
97% confidence
Finding
The workflow promises end-to-end self-healing and says no manual intervention is required, normalizing unattended system changes during error conditions. In context, this is more dangerous because the same document describes automatic diagnosis, script generation, cleanup, and fallback to external tooling, creating a credible path to uncontrolled or destructive remediation steps without operator review.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guide instructs users to install and enable a persistent system service with sudo and process-control commands, but it does not clearly warn that this creates a privileged, auto-starting component that can restart processes and survive reboots. In an agent skill context, undocumented persistence and service management materially increase risk because users may execute these commands without understanding the system-wide impact.

Missing User Warnings

High
Confidence
99% confidence
Finding
The Windows instructions create a Scheduled Task that runs as SYSTEM with highest privileges at logon, but the guide does not prominently disclose the privilege level, persistence, or security implications. This is especially dangerous because any compromise or modification of the referenced script would execute with full system privileges.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The troubleshooting section recommends changing PowerShell execution policy to RemoteSigned without warning users that this weakens script execution restrictions for the current user. Even if common in troubleshooting, advising a security control change without explaining consequences can normalize unsafe system changes.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README promotes automatic bug fixes and self-deleting repair scripts without clearly warning that the skill can create and run system-modifying artifacts. In a self-healing/repair context, this reduces informed consent and can normalize opaque system changes, making it easier for destructive or overbroad actions to occur without adequate user scrutiny.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The automatic trigger section says the skill activates on various errors but does not warn users that activation may generate repair tools and make system-affecting changes. Automatic invocation in response to routine failures increases risk because users may not realize that remediation actions such as restarts, config resets, or reinstall steps could be initiated from an error condition.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger list uses generic terms like 'error', 'startup_failure', and 'health_check', which are broad enough to activate the skill in many unintended contexts. For a self-healing tool with file, shell, and restart behavior, over-broad invocation increases the chance of unwanted autonomous actions and accidental remediation on the wrong event.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The text says the skill handles 'all errors' automatically and that 'subsequent errors' are auto-processed, which is ambiguous and overly expansive. In context, this could normalize autonomous fixes for unrelated failures and mask when the tool is making system changes without sufficiently specific user intent.

Missing User Warnings

High
Confidence
93% confidence
Finding
The markdown promotes automatic repair capabilities but does not prominently warn that the skill may modify configuration, restart services, generate executable scripts, change permissions, or reinstall software. For a system-repair skill, omission of these warnings is dangerous because users may not understand that enabling automation permits impactful system changes.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The iFlow integration description states that diagnostic context is automatically passed to another tool, but it does not warn users about possible sharing of error details, local paths, configuration data, or operational metadata. This creates privacy and confidentiality risk, especially if logs or diagnostics contain secrets, tokens, or sensitive environment information.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The guide explicitly tells users to run `echo $IFLOW_API_KEY`, which prints the full secret to the terminal. This can expose credentials through shoulder-surfing, terminal scrollback, session recording, shared shells, or support logs, and the document does not warn users to mask or avoid printing secrets.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The troubleshooting guidance instructs users to `cat ~/.iflow/settings.json`, which may reveal API keys or other authentication material in plaintext. In a repair/ops context, users may paste terminal output into tickets or chats, increasing the likelihood of credential leakage.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This section again recommends printing the full auth settings file, which can disclose stored credentials without any cautionary note. Repetition of unsafe secret-handling guidance makes accidental exposure more likely, especially during debugging and remote support.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal