Security audit

OpenClaw Model Switcher

Security checks across malware telemetry and agentic risk

Overview

This skill performs plausible model-switching work, but it changes live OpenClaw configuration with weakly evidenced validation and dry-run side effects that users should review before installing.

Install only if you are comfortable with a skill that can edit OpenClaw model configuration and affect gateway availability. Before using it, verify that it rejects unknown model names, shows the exact config change before writing, requires confirmation before restart, and either makes dry-run fully side-effect-free or clearly documents backup creation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (6)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 97% confidence
Finding: The skill declares no permissions while instructing the agent to read configuration files, write modified config state, and execute a shell command that restarts the gateway. This hidden capability increases the chance of unauthorized sensitive operations and reduces the effectiveness of permission review and user consent.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 99% confidence
Finding: If the implementation accepts any supplied model name and writes it directly into agents.defaults.model.primary, the skill can place the system into an invalid or attacker-chosen configuration despite claiming strict validation. That can cause denial of service, route traffic to unintended providers/models, and undermine operator trust because the documented safety guarantees are false.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The skill description promises validation that the requested model exists in the configured provider list, but the implementation writes any supplied model string directly into the config. This can leave the gateway unable to start or cause it to route to an unintended model, creating a denial-of-service or integrity issue in an administrative configuration-changing skill.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The skill metadata promises validation that the requested model exists in the configured provider list, but the implementation writes any supplied model string directly into the live configuration. This can break availability, cause misrouting to unintended models, and defeats an important safety guard the skill claims to provide.

Intent-Code Divergence

Medium

Confidence: 86% confidence
Finding: The dry-run mode claims that no actual changes occur, but it still creates the backup directory and copies the configuration file. This mismatch can expose sensitive configuration contents in an unexpected location and violates operator expectations about side effects.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: Broad trigger phrases like 'switch model' or 'change model' can activate the skill in routine conversation without strong intent verification, which is risky because the skill performs configuration writes and restarts the gateway. In this context, accidental invocation can disrupt service or change the default model unexpectedly, making broad matching more dangerous than in read-only skills.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal