Openclaw Deploy

Security checks across malware telemetry and agentic risk

Overview

This is a coherent OpenClaw deployment skill, but it needs Review because it packages private workspace content and can overwrite local or remote systems with weak safeguards.

Install only if you are comfortable reviewing and running deployment shell scripts. Before packaging, inspect the archive contents because workspace memory and skills may include private prompts, notes, code, or secrets. Prefer SSH keys over --password, verify host keys manually for production systems, avoid arbitrary deployment URLs, and test with --dry-run or non-production hosts before using overwrite modes.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults

Findings (24)

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The script advertises automatic removal of sensitive information, but only sanitizes openclaw.json while copying workspace files, memory, and skills verbatim. In a deployment/export tool, those directories can easily contain secrets, tokens, prompts, internal notes, or proprietary code, so users may wrongly trust the package as safe to share and unintentionally leak sensitive data.

Intent-Code Divergence

Medium

Confidence: 88% confidence
Finding: The exclusion feature is misleading because files are first copied into the temporary package tree and then archived from explicit item paths, so user-supplied excludes may not prevent sensitive content from being packaged as expected. In a tool intended for migration and sharing, this can directly cause accidental inclusion of data the operator believed had been excluded.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The script can download a deployment archive from an arbitrary URL and proceed to unpack and deploy it, effectively trusting remotely supplied code and configuration. Although a SHA256 file may be fetched, it is retrieved from the same untrusted location, so it does not provide meaningful authenticity and can still allow malicious package delivery.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The script automatically downloads and executes a host-level installer script from the network using sh, which is equivalent to arbitrary code execution as the invoking user, often root in deployment contexts. In a deployment skill, this greatly expands blast radius from app setup to full system compromise if the network path, source, or fetched content is malicious or tampered with.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The script claims to perform SHA256 verification, but the remote verification logic is broken: `sha256_cmd` echoes a command string instead of executing it, so `actual=$(sha256_cmd "$REMOTE_PKG" | awk '{print $1}')` does not compute the package hash. This means integrity checking can silently fail or behave incorrectly, allowing a tampered deployment archive to be installed on remote hosts.

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The guide normalizes use of SSH with `StrictHostKeyChecking=accept-new`, which silently trusts first-seen host keys. In a deployment skill whose value proposition includes integrity and safe remote deployment, this weakens protection against man-in-the-middle attacks during initial connection or after host reprovisioning.

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: The troubleshooting steps recommend password-based SSH deployment with `sshpass` and a plaintext `--password` CLI argument. Passwords passed on the command line can be exposed via shell history, process listings, logs, and CI output, making credential compromise likely in shared or automated environments.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The guide advises executing a remote script directly via `curl ... | bash`, which bypasses meaningful integrity review and gives arbitrary code immediate shell execution on the target host. This is especially dangerous in a deployment tool because users are primed to run such commands on production systems with elevated privileges.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The test temporarily renames the host system's sshpass binary to simulate its absence, which mutates global system state outside the test sandbox. This can disrupt concurrent processes or other tests that rely on sshpass, and if the script exits unexpectedly the binary may remain unavailable until manually restored.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The file provides concrete remote deployment and Docker setup instructions, including SSH access and editing a .env file with API keys, but does not include any explicit warning about security, privacy, or system-impact risks to the operator. In the context of a deployment skill that can connect to arbitrary servers and handle secrets, omission of such warnings increases the chance of unsafe use, credential exposure, or unintended modification of production systems.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The generated install script unconditionally moves the user's existing ~/.openclaw directory to a backup location and replaces it with packaged content, without prompting for confirmation or validating the target state. This is a real safety issue because it can overwrite an active environment, disrupt service, and cause data loss or confusion if the backup step fails or the new package is incomplete.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The script silently packages workspace memory and skills content without clearly warning that these areas may contain sensitive user data, credentials, internal prompts, or proprietary materials. In the context of a one-click export/deploy tool marketed for sharing and migration, this increases the likelihood of accidental data exfiltration through normal use.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: Accepting a password via command-line argument exposes credentials through shell history, process listings, audit logs, and orchestration wrappers. In deployment contexts this can leak SSH or remote access credentials to other local users or logging systems.

Missing User Warnings

High

Confidence: 98% confidence
Finding: Downloading and immediately executing a network-fetched installer without warning or confirmation is unsafe because it grants the fetched script full execution on the host. Given this skill's deployment role, users may run it with elevated privileges, making compromise severe and system-wide.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The script supports password-based SSH by passing the password directly to sshpass with the -p argument. This exposes the secret in the local process list and potentially shell history or audit tooling, allowing other local users or monitoring systems to recover the credential during execution.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The README documents deployment flows that can overwrite existing environments locally, remotely, and in batch, including a direct 'cover' mode, but it does not prominently warn that these actions may modify or destroy data on target systems. In an automation/deployment skill, missing safety warnings materially increases the chance of accidental destructive use, especially when users may run commands against production hosts or as root.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The guide includes `sudo rm -rf /opt/openclaw` as a troubleshooting step without a prominent warning, backup guidance, or confirmation safeguards. Even though the path is narrower than a full-disk wipe, destructive recursive deletion in operational docs can cause data loss, service outage, or accidental misuse if copied carelessly.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The documentation suggests passing a plaintext SSH password directly in a command example and does so without any security warning. This materially increases the chance of credential leakage through terminal history, process inspection, screenshots, support logs, and automation transcripts.

Missing User Warnings

High

Confidence: 99% confidence
Finding: Piping a remote network response directly into `bash` is an unsafe execution pattern, and the troubleshooting guide does not provide any warning or verification requirement. In context, this can turn a troubleshooting step into a remote code execution vector if the URL, host, DNS, TLS trust chain, or upstream content is compromised.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The test manipulates a real host executable without any safety guardrails, explicit warning, or isolation mechanism. In a deployment-related skill, users may run tests on workstations or CI runners with elevated privileges, making unintended environmental breakage more likely and harder to diagnose.

External Script Fetching

Low

Category: Supply Chain
Content: **解决**： ```bash # 在目标主机上安装 Docker（Ubuntu 示例） curl -fsSL https://get.docker.com | sudo sh sudo usermod -aG docker $USER ```
Confidence: 94% confidence
Finding: curl -fsSL https://get.docker.com | sudo sh

Tool Parameter Abuse

High

Category: Tool Misuse
Content: ./scripts/deploy.sh --conflict update # 或手动删除后重新部署 sudo rm -rf /opt/openclaw ./scripts/deploy.sh ```
Confidence: 97% confidence
Finding: rm -rf /

Tool Parameter Abuse

High

Category: Tool Misuse
Content: ./scripts/deploy.sh --conflict update # 或手动删除后重新部署 sudo rm -rf /opt/openclaw ./scripts/deploy.sh ```
Confidence: 97% confidence
Finding: rm -rf /opt/

Chaining Abuse

High

Category: Tool Misuse
Content: **解决**： ```bash # 在目标主机上安装 Docker（Ubuntu 示例） curl -fsSL https://get.docker.com | sudo sh sudo usermod -aG docker $USER ```
Confidence: 98% confidence
Finding: | sudo

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal