Back to skill

Security audit

Openclaw Setup Service

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real OpenClaw setup helper, but it asks for powerful server and bot access while giving too little safety guidance.

Install only after reviewing the scripts. Use a temporary least-privilege account instead of permanent root access, back up the server first, avoid exposing the service on all interfaces unless necessary, add firewall/TLS/authentication before starting the gateway, set restrictive permissions on config files, and rotate Telegram/API credentials after setup.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The documented setup goes beyond a generic install/configuration helper by explicitly enabling and instructing operation of a Telegram gateway service, which creates an externally reachable integration point. In this context, adding a network-facing bot service increases attack surface and may expose the host or bot account if deployed without hardening, authentication controls, or clear justification.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The skill includes instructions to configure a Telegram bot/gateway even though the stated purpose is a general installation/setup service. That mismatch matters because network-facing messaging integrations can be abused for remote interaction, unauthorized control paths, or accidental exposure if users follow the guide without understanding the security implications.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The template binds the server to 0.0.0.0, exposing it on all network interfaces by default. For an installation/config service, this is unnecessarily permissive and can make the service reachable from untrusted networks, increasing the chance of probing, exploitation, or misuse of any exposed endpoints.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The template explicitly enables scheduled command execution and defines an allowlist that includes network-capable tooling such as curl. For an installation/configuration service, shipping a default runtime command-execution surface materially expands the attack surface and could allow abuse if job definitions or command inputs become attacker-controlled elsewhere in the system.

Context-Inappropriate Capability

Low
Confidence
84% confidence
Finding
Binding the service to 0.0.0.0 exposes it on all network interfaces by default, making the setup service reachable beyond localhost. In the context of a setup/configuration skill, this broader exposure increases the risk of unauthorized access, especially when combined with enabled channels and operational features.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README instructs users to enter and store a Telegram Bot Token directly in a local YAML config without warning that it is a sensitive credential. Tokens stored in plaintext are easily exposed through shell history, backups, screenshots, overly broad file permissions, or repository mistakes, enabling full compromise of the bot identity.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README tells users to run a privileged installation script that performs package installation and remote bootstrap actions, including piping a fetched script into bash, without any safety warning or integrity verification. This is dangerous because compromise of the remote source, transport path, or repository can lead to immediate root-level code execution on the target system.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill explicitly asks users to provide server login information with root privileges, but it does not adequately warn about the severe risks of credential theft, persistent compromise, data exposure, or destructive system changes. In this context, the danger is elevated because the skill is offering remote installation/administration services, which normalizes handing over full control of a server to an untrusted third party.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script interactively collects a Telegram bot token and admin ID, then writes them directly into a persistent YAML config file under the user's home directory without any warning, masking, or permission hardening. This creates unnecessary credential exposure risk through shell shoulder-surfing, insecure filesystem permissions, backups, or later accidental disclosure of the config file.

Missing User Warnings

High
Confidence
98% confidence
Finding
The script downloads code from an external URL and pipes it directly into bash, which creates a direct remote code execution path if the upstream server, CDN, DNS, TLS trust chain, or network path is compromised. In an installation skill context this is especially dangerous because users are encouraged to run the script with elevated privileges, magnifying the impact of any malicious or tampered response.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script collects a Telegram bot token and writes it directly into a user config file in plaintext without warning about secret-handling risks, file permissions, or safer alternatives. If the config file is readable by other local users, included in backups, synced to cloud storage, or accidentally committed to version control, the bot token can be stolen and used to control the bot.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.