OpenClaw QuickRef

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only OpenClaw quick reference; it does not contain code or automatic actions, but users should review state-changing command examples before running them.

Install is reasonable if you want OpenClaw command and config reference material. When using it, treat examples as documentation: do not paste real API keys into commands or shared files, verify plugin sources before installing them, and double-check commands that delete sessions, remove plugins, change configuration, or start daemon services.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The description uses broad trigger language such as answering when users ask '怎么配置', '命令是什么', or '配置格式', which can match many ordinary requests outside the intended OpenClaw context. Over-broad activation can cause the skill to fire unexpectedly, introducing irrelevant instructions and reducing the reliability and safety of skill routing.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The activation conditions are generic and ambiguous, including prompts like '用户询问 CLI 命令用法' and '用户需要快速参考某个功能' without requiring the request to be specifically about OpenClaw. This increases the chance of accidental invocation on unrelated tasks, which can mislead users or interfere with more appropriate skills.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal