Openclaw Optimizer Pro

Security checks across malware telemetry and agentic risk

Overview

This OpenClaw administration skill appears useful and purpose-aligned, but it gives broad optimization/security guidance and includes destructive log cleanup without clear confirmation or backup safeguards.

Install only if you want an agent to help administer OpenClaw settings and performance. Before allowing changes, explicitly ask for read-only diagnostics first, require a preview of files/settings to be changed, and do not permit memory-log deletion unless you have backed up or intentionally no longer need that history.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The skill advertises broad activation on generic requests like optimization, capability fixes, performance tuning, and security hardening, without clear scoping or consent boundaries. That can cause the agent to invoke this skill in situations where it begins inspecting local configuration, credentials-adjacent files, or system security state more aggressively than the user intended.

Missing User Warnings

Medium

Confidence: 85% confidence
Finding: The guidance recommends cleaning memory logs older than 30 days, which is a destructive action, but it does not require confirmation, backup, or a warning that historical data may be permanently lost. In an agent setting, this can lead to unintended deletion of user data during optimization or token-reduction tasks.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal