Openclaw Rescue Kit

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real OpenClaw rescue toolkit, but it needs review because it can keep running in the background and make high-impact local changes.

Install only if you intentionally want a local OpenClaw maintenance kit with ongoing authority. Before enabling LaunchAgent or crontab jobs, review the scripts, use a dedicated gateway port, protect ~/.openclaw/notify.conf, avoid committing webhook tokens or secrets into the local Git snapshots, test cleanup on copies first, and keep the unload/removal commands handy.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (11)

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The script accepts a caller-supplied string as `modify_cmd` and executes it with `eval`, which gives the caller unrestricted shell execution rather than limiting changes to structured configuration edits. In the context of an agent skill marketed as a safe recovery/configuration tool, this is especially dangerous because higher-level automation may treat it as trusted and pass user-influenced input into it, enabling arbitrary command execution, file deletion, credential access, or persistence.

Intent-Code Divergence

High

Confidence: 95% confidence
Finding: The header and usage text present the script as a 'safe configuration modification' tool with atomic write, validation, and rollback, but the implementation delegates the actual modification to an arbitrary shell command. This mismatch is security-relevant because operators or downstream agents may trust the safety claims and use the script in elevated or automated contexts, underestimating the risk of command injection and unintended side effects.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The README instructs users to configure Feishu/Telegram/other webhooks and test notifications, but it does not warn that operational data, alerts, host status, or possibly sensitive error details may be transmitted to third-party messaging platforms. In a rescue/watchdog skill, alerts are likely to contain system state and failure context, so omission of privacy/data-sharing guidance creates a real security and compliance risk.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The activation text uses broad triggers like gateway crashes, watchdogs, rollback, log cleanup, port conflicts, and deployment rescue scripts, which can match many ordinary support requests. That increases the chance the skill is invoked in contexts where the user did not specifically consent to persistence, script installation, or system changes.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The markdown instructs users to run installation commands that create directories, copy executable scripts, and run an installer without a prominent warning that this changes the local system and may establish persistence later in the guide. In a skill context, hidden or under-emphasized system modification is dangerous because users may treat it as routine troubleshooting rather than software deployment.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The guide instructs users to run a startup wrapper that can stop services, clear locks, remove PID files, and force-kill processes, but it does not clearly warn that it will modify local state and may terminate the wrong process if port/PID detection is inaccurate. In an ops script, destructive actions without explicit caution and scoping guidance can cause denial of service or accidental disruption of unrelated local services.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The watchdog is documented as automatically repairing configuration, rolling back state, and restarting services unattended, yet the guide lacks a prominent warning that it can alter configuration and service availability without operator review. In this context, unattended rollback and restart logic increases the risk of unexpected outages, configuration loss, or recovery to stale states if detection logic is wrong.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The notification section lists third-party channels but does not warn that alert content may be transmitted to external services, potentially including operational details, hostnames, paths, or failure messages. In an incident-response skill, this can unintentionally expose sensitive metadata outside the local environment.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The log cleaner is documented as deleting old logs and aggressively trimming session files, but the guide does not prominently warn about irreversible data loss or forensic impact. In a troubleshooting and recovery toolkit, removing or shrinking logs can destroy evidence needed for root-cause analysis, auditing, or rollback validation.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The rollback operation overwrites the current working configuration from a Git tag and, if the openclaw CLI is present, immediately stops and restarts the gateway without any confirmation prompt or dry-run safeguard. In an operational recovery script this may be intentional, but it still creates a meaningful safety/security risk: a mistaken invocation, wrong tag selection, or socially engineered command execution can cause configuration rollback, service interruption, and potentially re-enable older insecure settings.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The script performs destructive deletions and in-place modifications across logs, sessions, backups, memory files, lock files, and /tmp content, but the advertised --dry-run mode is only applied to rollback-backup cleanup. Most cleanup functions ignore dry_run entirely, so a user may reasonably expect a safe preview and instead trigger irreversible file loss. In a maintenance skill that encourages automated self-healing, this is especially risky because it is likely to be run unattended or with elevated trust.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal