ClawHub

OpenClaw Security Hardening

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate local security-hardening skill, but it deserves review because some commands can persistently change agent rules and modify file permissions outside the workspace.

Install only if you are comfortable running local shell scripts that inspect OpenClaw skills and sensitive-looking files. Run the tools without --fix first, review the exact paths reported, manually merge any AGENTS.md rules instead of blindly appending them, and treat the scanner results as advisory because the bundled scanner has a self-exclusion blind spot.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill documentation clearly instructs users to run shell scripts that perform filesystem inspection, configuration changes, and outbound-pattern analysis, yet the skill declares no permissions or capability boundaries. This mismatch can mislead reviewers and automation about the skill's effective power, reducing transparency and increasing the chance that risky operations are trusted or executed without appropriate scrutiny.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script scans for credential-like files in user home directories outside the declared workspace, including ~/Documents and ~/Desktop. Even though it does not exfiltrate contents, this expands the script's trust boundary and causes a workspace hardening tool to inspect unrelated personal files, which is a privacy and scope violation if run by an agent or automation.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script searches for OpenClaw gateway configuration in user-level locations under $HOME and, in --fix mode, changes permissions on whichever file it finds. Modifying configuration outside the workspace violates expected containment for a workspace hardener and can alter global user state unexpectedly, which is risky when invoked by an agent or from an untrusted workspace.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The scanner deliberately skips any file whose path contains the string 'openclaw-security-hardening', creating a blind spot in the exact skill that claims to provide security coverage. That means malicious or compromised content placed in this skill tree will never be analyzed, undermining trust in the scanner and enabling evasion.

Intent-Code Divergence

Low
Confidence
95% confidence
Finding
The substring match `*openclaw-security-hardening*` is broader than the comment suggests and can skip any file or directory whose path includes that text, not just this skill's own files. An attacker could exploit this by naming a malicious directory or file to contain that substring and thereby evade scanning.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill tells users to append content directly into AGENTS.md, which is a core control file governing agent behavior, without requiring manual review, diff inspection, or backup. Modifying agent control instructions wholesale can unintentionally weaken safeguards, introduce prompt-injection surface, or override existing policies in a way that affects all future agent behavior.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The recommended setup encourages running an auto-fix mode that may change permissions, ignore rules, or configuration files, but does not warn users that workspace state will be modified. Silent or poorly understood remediation can break environments, alter security posture unexpectedly, or mask what changed, which is risky in a hardening tool that touches sensitive settings.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal