Back to skill

Security audit

OpenClaw RPA

Security checks across malware telemetry and agentic risk

Overview

This is a real RPA automation skill, but it stores and reuses sensitive credentials and runs generated Python with broad local authority.

Install only if you are comfortable with a local RPA tool that can run generated Python, control a browser, call APIs, write files, and persist credentials. Do not use it on shared or untrusted machines; avoid recording high-value accounts; treat saved cookie files and generated scripts as secrets; prefer environment variables or a secret manager instead of embedded API keys; review generated rpa/*.py files before running them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (54)

compile() call detected

Medium
Category
Dangerous Code Execution
Content
# Compile (syntax check on wrapped code; adjust reported line by -1 for wrapper)
    try:
        compiled = compile(async_code, "<python_snippet>", "exec")
    except SyntaxError as e:
        lineno = max(1, (e.lineno or 1) - 1)
        return f"python_snippet 语法错误 / syntax error: line {lineno}: {e.msg}"
Confidence
95% confidence
Finding
compiled = compile(async_code, "<python_snippet>", "exec")

exec() call detected

High
Category
Dangerous Code Execution
Content
# Execute: define __snippet__ then await it
    try:
        exec(compiled, ns)          # noqa: S102  — defines __snippet__ in ns
        await ns["__snippet__"]()   # run the async snippet
        print("[recorder] python_snippet 验证通过 / validation passed ✓", flush=True)
        return None
Confidence
100% confidence
Finding
exec(compiled, ns) # noqa: S102 — defines __snippet__ in ns

subprocess module call

Medium
Category
Dangerous Code Execution
Content
return 1

    print(f"▶️  正在运行 / Running: 「{task_name}」…")
    result = subprocess.run([sys.executable, str(script_path)])
    if result.returncode == 0:
        print(f"✅ 运行完毕 / Done: 「{task_name}」")
    else:
Confidence
93% confidence
Finding
result = subprocess.run([sys.executable, str(script_path)])

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill explicitly instructs embedding user-supplied API and vision-model secrets into replayable scripts, turning transient credentials into long-lived plaintext artifacts. That materially expands exposure because generated scripts may be stored, copied, logged, or checked into version control, and the skill context does not provide an adequate warning about this persistence.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Persistently caching vision API keys in a local file creates a credential-at-rest risk unrelated to the minimum functionality needed for browser/file automation. If the host is compromised, multi-user, or backed up/synced insecurely, those cached keys can be recovered and abused for unauthorized API usage.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The skill explicitly instructs embedding user-provided API secrets into generated replay scripts so they persist on disk and are reused automatically. This broadens the skill from transient API use into local secret storage and code generation containing plaintext credentials, increasing the risk of credential leakage via source control, backups, logs, screenshots, or multi-user hosts.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill goes beyond documented HTTP API support by asking users for third-party vision-model API keys, validating them, caching them locally, and reusing them for future sessions. This creates an undeclared credential retention mechanism for unrelated external services, which expands the attack surface and makes secret compromise more likely.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The documentation explicitly recommends supplying real API keys in an "env" field so the generator writes them directly into the produced script. This creates plaintext credential exposure in source files, generated artifacts, shell history, backups, logs, and shared machines, making secret theft or accidental disclosure likely.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The documentation explicitly instructs users to place real API keys into an `env` field so the code generator writes those secrets directly into the generated replay script. This creates a durable plaintext secret exposure path in source files and local artifacts, increasing the risk of accidental disclosure through logs, screenshots, backups, version control, or sharing of generated scripts.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The document explicitly defines a feature where AI-generated Python is injected into the RPA script and executed immediately during recording via compile()/exec(), then persisted for replay. That materially expands the skill from constrained RPA actions into arbitrary code execution with filesystem and application access, creating a powerful code-execution primitive if the model is prompted adversarially or generates unsafe code.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The documented symbol table exposes Path and os, which gives generated code broad access to local files and OS-adjacent functionality beyond the advertised browser/Excel/Word/API actions. Even if imports are nominally restricted, these primitives are sufficient for reading, modifying, and traversing local data in ways users may not expect from an RPA skill.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The skill exposes a python_snippet feature that validates and records arbitrary Python, which far exceeds the stated browser/file/API replay scope. Because the snippet is executed during recording and later emitted into standalone scripts, the skill becomes a general-purpose code execution mechanism rather than a bounded RPA recorder.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The generated standalone scripts centrally embed vision API keys, cookie paths, and environment-derived secrets, expanding the replay artifact into a credential-bearing bundle. This exceeds ordinary RPA replay expectations and increases the chance of credential leakage through saved scripts, logs, backups, or sharing.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The recorder persistently caches third-party vision API keys in a predictable local JSON file under the user home directory. That is broader than necessary for transient recording and creates a durable secret-at-rest target if the workstation or account is later compromised.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Login capture mode exports all cookies from the authenticated browser context to disk for later injection, which is effectively a credential-harvesting and session replay capability. In an automation skill, that dramatically raises risk because stolen cookie files can enable account takeover without passwords or MFA.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The promotional copy explicitly says API keys can be embedded in generated scripts, which normalizes storing secrets directly in code without warning about leakage through source control, logs, screenshots, or shared task files. In an RPA skill that generates portable Python scripts, this is especially risky because users are encouraged to run and redistribute those scripts outside the original environment.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The copy promotes saving and injecting login cookies on later recordings and replays but does not warn that cookies are bearer-session credentials that can enable account takeover if copied or exposed. In this skill context, automated reuse across browser sessions increases the chance that sensitive session material is stored insecurely, reused too broadly, or shared with generated artifacts.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The promotional text explicitly states that API keys can be written into generated scripts, but provides no warning about plaintext credential storage, source control leakage, log exposure, or reuse risk. In an RPA skill that generates standalone Python files, this encourages insecure secret handling that could expose backend systems if the script is shared, committed, or left on disk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The document promotes saving and automatically reusing login cookies without warning that cookies are equivalent to active session tokens and may bypass MFA or other login controls. In this skill's context, persisted cookies used across recording and replay materially increase account-takeover risk if the cookie store, generated scripts, or local workspace are accessed by another user or process.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly encourages embedding API keys directly in generated scripts and shows a realistic-looking API key in examples. This creates a strong risk of credential leakage through source control, chat logs, generated artifacts, screenshots, and local files, especially because the skill is designed to record and replay automation workflows that may be shared or reused.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README promotes persistent cookie reuse to 'bypass login walls forever' and automatic injection of saved session cookies, but does not foreground the security implications of storing reusable authenticated sessions on disk. If these cookie files are stolen, copied, or injected into unintended workflows, they may enable account takeover or unauthorized access without needing passwords or MFA.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The README explicitly promotes capturing and replaying authenticated browser sessions to 'permanently bypass' login walls, including reuse after manual 2FA completion. Even though this is documentation rather than code, it normalizes storage and reuse of highly sensitive session cookies without prominent warnings about theft, account takeover, shared-device exposure, expiration, or terms-of-service/security implications. In an RPA skill whose purpose is automation of live websites, this makes misuse materially more likely.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The README includes concrete examples of placing an API key directly in prompts and URLs. This encourages unsafe secret handling practices because keys in chat text, shell history, generated scripts, logs, screenshots, analytics, and browser history are easily leaked and then reusable by attackers for unauthorized API access or billing abuse. In a skill that records/replays workflows, the risk is amplified because secrets may be persisted into artifacts.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The command reference advertises saving login sessions and auto-injecting cookies for later recording/replay, but does not directly warn that these stored cookies function as bearer tokens. Without clear guidance on storage security, scope, user separation, and revocation, users may expose session material that enables account hijacking or unauthorized access. Given the skill's automation focus, operators are likely to adopt these commands as-is.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill directs the agent to embed user API keys directly into generated scripts without a prominent warning that the secrets will persist on disk. This is dangerous because users may reasonably assume the key is used transiently, while in reality it becomes part of a reusable file that can leak through backups, logs, sharing, or source control.

VirusTotal

1/46 vendors flagged this skill as malicious, and 45/46 flagged it as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal, suspicious.insecure_tls_verification, suspicious.obfuscated_code

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
README.zh-CN.md:181

HTTPS certificate verification is disabled.

Warn
Code
suspicious.insecure_tls_verification
Location
recorder_server.py:225

HTTPS certificate verification is disabled.

Warn
Code
suspicious.insecure_tls_verification
Location
rpa_manager.py:450

Potential obfuscated payload detected.

Warn
Code
suspicious.obfuscated_code
Location
recorder_server.py:241