ClawHub

OpenClaw VPS Server Hardening

Security checks across malware telemetry and agentic risk

Overview

This is a mostly coherent VPS hardening skill, but it needs review because it gives risky mobile-app credential guidance and includes SSH instructions that could lock users out.

Review and adapt before installing. Run the script only after confirming Cloudflare Tunnel access, a working SSH key, and a non-root sudo recovery path; keep the old SSH session open while testing. Do not embed Cloudflare Access service-token secrets directly in a distributed native app unless you have a rotation, revocation, and containment plan; prefer user-bound OIDC/PKCE or a backend-held credential flow.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill clearly instructs users to copy and run a shell hardening script and references file modifications, but it declares no permissions despite requiring shell execution and file writes. This creates a trust and execution-boundary problem: an agent framework may permit the skill to operate with undeclared capabilities, reducing oversight and increasing the chance of unexpected or unsafe system changes.

Intent-Code Divergence

Medium
Confidence
78% confidence
Finding
The document makes an absolute security claim that every request requires authentication before reaching the VPS, but later endorses long-lived service tokens as a best approach for native phone apps. While service tokens are still a form of authentication, presenting non-expiring shared secrets as equivalent to user authentication can mislead operators into deploying weaker access controls and overestimating their security posture.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The script disables SSH root login with `PermitRootLogin no` but later instructs the operator to reconnect as `root`, which can cause lockout or unsafe recovery actions. In a hardening script, contradictory guidance is dangerous because operators may misconfigure access, revert protections, or be stranded on a remote VPS.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The guide recommends non-expiring Cloudflare Access service tokens as the best approach for a native phone app without warning that any secret embedded in a distributed mobile app can be extracted through reverse engineering, device compromise, logging, or proxy interception. If recovered, the attacker gains ongoing machine-level access to the protected agent and can bypass the intended per-user identity gate until the token is manually revoked.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal