ClawHub

OpenClaw VPS Deploy

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it claims, but it deploys a persistent, internet-reachable root service while handling API keys, SSH trust, and auth tokens in ways users should review carefully.

Install only if you are comfortable giving the skill root SSH access to the VPS and copying model-provider credentials to that server. Verify the VPS SSH fingerprint, avoid placing private keys in /tmp, use a dedicated low-blast-radius API key, use only trusted repo/package values, keep the gateway behind HTTPS, VPN, or a tunnel where possible, protect and rotate tokens, and close the public port or disable the service when it is no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The script silently reads credentials from a local OpenClaw secrets vault and later persists generated deployment tokens back into that vault. That exceeds the minimum scope of VPS deployment and creates implicit credential access and storage behavior that a user may not expect, increasing the chance of secret exposure or misuse on the operator machine.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The systemd service starts the gateway with --auth token but does not supply the token value, while also enabling --allow-unconfigured. In a deployment script whose purpose is to expose a service on a public VPS, this mismatch can leave the service reachable in an incompletely configured or unexpectedly permissive state, undermining intended authentication.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation says the deployment saves auth tokens to a local vault and later shows how to retrieve them, but it does not warn that these are sensitive credentials or restrict how they should be displayed. This increases the chance of accidental token exposure through terminal history, screenshots, logs, or overly broad local access.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill instructs opening UFW ports and making the OpenClaw gateway reachable at a public URL, while also using LAN binding and allowed origins that include the public IP. Public exposure of an admin/control interface substantially increases attack surface, especially if users deploy with weak token hygiene or default networking assumptions.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation explicitly instructs copying an SSH private key to /tmp for authentication. Even with chmod 600, /tmp is a globally shared, temporary location that increases the risk of accidental exposure, race conditions, improper cleanup, or access by other privileged processes; in a VPS deployment skill handling real credentials, this is a meaningful operational security weakness.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The guidance recommends adding a public IP to allowedOrigins so the control UI can be accessed remotely, but it does not warn that this broadens remote browser access to an administrative interface. In the context of a cloud-hosted OpenClaw deployment, exposing the control UI over a public IP materially increases attack surface and can enable unauthorized interaction if authentication, TLS, or origin restrictions are misconfigured.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The guide prints the generated agent authentication token directly to the terminal without warning about handling, storage, shell history, logs, or operator exposure. In an administrative VPS setup, this can leak credentials through shared terminals, session recording, command transcripts, or screenshots, enabling unauthorized access to the remote OpenClaw gateway.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal