OpenClaw Harness

Security checks across malware telemetry and agentic risk

Overview

This is mostly a local checkpoint and cleanup skill, but its bundled cleanup agent can alter global agent memory and run repeatedly in the background.

Install only if you want a local checkpoint, verification, and cleanup system. Before running bin/gc-agent.sh with --run or --daemon, review the MEMORY.md path, back up MEMORY.md and .harness, and disable or explicitly trust the memory-palace archival helper. Prefer dry-run cleanup first, and treat custom verify command rules plus forced restore/delete commands as privileged operations.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (9)

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The architecture explicitly loads plugins by sourcing `.harness/plugins/*/plugin.sh`, which executes arbitrary shell code in the current process with the user's privileges. In an agent skill context, this meaningfully expands the trust boundary beyond the stated checkpoint/verify/gc/lint functions and creates a clear code-execution path from repository content or dropped files.

Context-Inappropriate Capability

Low

Confidence: 83% confidence
Finding: The planned hook installation writes into `.git/hooks` by creating a symlinked pre-commit hook, which persists code execution into future developer workflows outside the immediate harness command. While pre-commit checks are common, this is a repo-modifying and persistence-enabling capability that exceeds the core state-management purpose and can become dangerous if the hook or its target is later altered.

Missing User Warnings

Medium

Confidence: 81% confidence
Finding: Documenting restore and delete commands without explicit overwrite/data-loss warnings increases the chance that an agent or user invokes a destructive operation without understanding the consequences. In a context-management skill, restore can replace workspace state and delete can remove recovery points, so omission of warnings materially raises operational risk.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The GC command is described as routine cleanup, but it can delete checkpoints and files, making it a destructive operation that warrants stronger disclosure. Because this skill manages cross-session state, users may rely on old checkpoints for recovery; unclear GC semantics can lead to irreversible loss of task history or artifacts.

Missing User Warnings

Medium

Confidence: 81% confidence
Finding: The script reads the full contents of MEMORY.md and passes them as a command-line argument to another executable. Even if memory-palace is intended as a local companion tool, this can expose sensitive memory contents to another trust boundary and, on many systems, to process inspection via ps or procfs while the command is running.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The script performs `harness checkpoint restore ... --force` after explicitly disabling the interactive confirmation step, which can overwrite the current workspace state without an active user decision at the moment of restore. In a checkpoint-management skill, restore operations are inherently state-destructive, so forcing them in an example increases the chance that users copy unsafe automation into real workflows and accidentally lose work or revert to an unintended snapshot.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The documentation presents restore and garbage-collection commands as routine operations without prominent warning that restore may overwrite working files and GC may permanently delete retained state. In an agent skill context, this is more dangerous because an automated agent may follow concise docs literally and invoke destructive commands without interactive review, causing data loss or rollback of user work.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The document includes `rm -rf .harness` as a recovery step with only a brief inline note that it is dangerous. In an agent skill focused on cross-session state management, this can easily lead to irreversible deletion of checkpoints and workflow state if copied blindly by users or agents, especially during troubleshooting.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The maintenance guide recommends `harness checkpoint restore <cp-id> --force` to overwrite current files, but it does not clearly warn about clobbering unsaved work or describe exactly which files may be replaced. In this skill context, restore operations directly affect agent memory/task files, so accidental use can corrupt active workspace state across sessions.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal