Security audit

Openclaw Skill

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Anycast network integration, but it can send data and commands to remote services and store tenant-scoped memory, so users should treat it as sensitive.

Install only if you intend to let your assistant access your Anycast tenant. Use a least-privilege token, avoid sending secrets or personal data in messages, connector queries, or memory values, and confirm remote-agent messages or connector queries before running them in sensitive environments.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (4)

Description-Behavior Mismatch

Medium

Confidence: 83% confidence
Finding: The manifest description understates the skill’s capabilities by omitting tenant-scoped memory storage/retrieval, while the body documents persistent state operations. This mismatch can prevent accurate user consent and review, making it easier to invoke stateful behavior that users or operators did not expect from a network interaction skill.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: Tenant-scoped memory persistence expands the skill from transient network interaction into cross-session data retention, but the stated purpose does not justify that broader capability. This creates risk of storing sensitive data, hidden long-lived state, or unauthorized coordination data under a scope affecting an entire tenant.

Missing User Warnings

Medium

Confidence: 85% confidence
Finding: The README advertises capabilities to send messages to remote agents and query cross-environment connectors spanning databases, APIs, logs, and collaboration tools, but it does not warn about the sensitivity of the reachable data or the operational risk of issuing commands across environments. In a skill whose primary purpose is cross-agent communication and connector access, omission of security boundaries, authorization expectations, and data-handling cautions can lead users to over-trust the skill and use it in ways that expose private data or trigger unintended actions.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill performs authenticated remote requests and supports persistent writes, yet it provides no explicit warning that using it may transmit user data off-system or modify remote state. In this context, that omission is dangerous because users may supply prompts or identifiers assuming read-only/local behavior when the skill can message agents, query connectors, and write tenant memory.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.