Gateway Validator

Security checks across malware telemetry and agentic risk

Overview

This skill should be reviewed carefully because it can use live API keys, overwrite gateway configuration, and restart the gateway under broad triggers.

Install only if you intentionally want an agent to validate and potentially apply OpenClaw gateway changes. Review the exact config diff first, confirm before any live provider test, apply, or restart, use test or least-privileged API keys where possible, and verify every configured baseUrl is trusted. Do not treat the included gateway startup check as proof that completions will work end to end.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (7)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: # Start gateway try: proc = subprocess.Popen( [openclaw, 'gateway', 'start', '--port', '0'], stdout=subprocess.PIPE, stderr=subprocess.PIPE,
Confidence: 84% confidence
Finding: proc = subprocess.Popen( [openclaw, 'gateway', 'start', '--port', '0'], stdout=subprocess.PIPE, stderr=subprocess.PIPE, env=env, cwd

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The skill is described as a validator, but this script copies a supplied configuration into the production location and therefore performs a privileged state-changing action. In an agent setting, this scope mismatch is dangerous because users or downstream automation may invoke a supposedly safe validation skill and unintentionally modify live gateway configuration.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The script restarts the production gateway after applying configuration, creating a disruptive operational capability that exceeds a validator-only purpose. In context, this increases risk because a validation workflow can now trigger downtime, failed restarts, or service interruption on production systems.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The trigger language is broad enough to auto-invoke on general configuration-related requests, increasing the chance the skill runs in situations where the user did not intend network validation or production-adjacent actions. In this context, overbroad invocation is more dangerous because the skill can test credentials, modify config, and potentially restart gateway components.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill does not clearly warn that validation may include direct provider API calls using configured credentials. This can expose sensitive operational behavior, incur cost, leak metadata to third parties, and surprise users who believed validation was purely local.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The Google validation request places the API key directly in the URL query string. Even over HTTPS, URL query parameters are more likely to be exposed via logs, proxies, browser/history tooling, monitoring systems, or error messages than header-based credentials, creating unnecessary credential disclosure risk.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The Google API key is embedded directly in the request URL, which is risky because URLs are commonly captured in logs, proxies, browser/history equivalents, diagnostics, and upstream infrastructure. In this skill, the purpose is to validate live provider credentials, so the tool will transmit real secrets outbound; placing the secret in the URL increases accidental disclosure beyond the intended recipient.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal