ClawHub
Back to skill

Security audit

Openclaw Sys Guardian V4.1 Resurrection

Security checks across malware telemetry and agentic risk

Overview

This skill is a real OpenClaw recovery guardian, but it can run persistently and make broad, potentially destructive changes to a user's local environment.

Install only if you intentionally want a powerful local recovery daemon for OpenClaw and are comfortable reviewing and editing the shell scripts first. Before use, remove hard-coded user paths, protect or exclude auth-profile backups, pin package versions, test on a non-critical machine, and confirm how to stop the LaunchAgent and recover from config or workspace overwrites.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (38)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises persistent background operation and shell-based maintenance actions, but it does not declare permissions for those capabilities. Hidden or undeclared shell access is dangerous because users and policy controls cannot accurately assess or constrain what the skill may execute, especially for a system-management skill with repair and cleanup behavior.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
This is a true vulnerability because the skill description presents benign HA/self-healing behavior while the detected capabilities include destructive uninstall, cache deletion, process killing, persistence removal, hardcoded-path restoration, and deliberate fault injection. That mismatch is especially dangerous in a system skill: users may install it expecting maintenance, but it can modify or destroy data, disrupt services, or restore from unsafe locations without informed consent.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The design expands a high-availability guardian into sensitive agent-governance functions: context injection, memory/task inspection, external notification, and dynamic skill restoration. These capabilities materially exceed simple self-healing and can be abused to alter agent behavior, access sensitive state, or reintroduce code dynamically without strong trust boundaries.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
Forcing AGENTS.md rules into the top of the live agent context gives this skill authority to steer or override model behavior after recovery. In an adversarial or compromised skill, this becomes a prompt-injection persistence mechanism that can survive failures and continuously reassert control.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Reading MEMORY.md and active-task data grants visibility into potentially sensitive plans, user context, and operational state unrelated to core HA recovery. This violates least privilege and can be leveraged for data exfiltration, task manipulation, or opportunistic capability escalation after rollback.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
External Feishu approval flows plus hot-reload of missing skills create a supply-chain and exfiltration risk: the system can communicate externally and dynamically change its capabilities during recovery. If abused, this can install malicious components, leak metadata, or bypass normal deployment review under the guise of restoration.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The script's stated purpose is HA monitoring and self-healing, but it also performs autonomous maintenance actions including security audit fixes, doctor fixes, and session cleanup. This capability expansion increases operational risk because users may deploy it expecting availability monitoring while it silently changes system state and session data on a schedule.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The recovery path force-kills any process bound to port 18789 using kill -9, which is a blunt host-level action that can terminate the wrong service if the expected gateway is not the current listener. In an automated loop, this can repeatedly disrupt local services and cause denial of service or data loss from ungraceful termination.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The script’s behavior materially exceeds a self-healing/HA role by unloading services, force-killing processes, uninstalling global packages, deleting caches, and replacing local state. In an agent skill context, this is dangerous because it performs host-level destructive recovery actions that can disrupt unrelated workloads and irreversibly alter the user environment under the guise of maintenance.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The script changes global package-manager state with npm/pnpm uninstall/install operations and deletes globally installed binaries and caches. That is risky in a guardian skill because it can break other Node-based tooling, corrupt shared package state, and cause denial of service beyond the target application.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script backs up auth-profiles.json into a backup vault without any evidence of minimization, encryption, permission hardening, or user consent. Authentication profile data is sensitive, and duplicating it increases exposure if the backup directory is read by other local users, synced elsewhere, or later mishandled.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The script intentionally sends SIGKILL to processes matching "openclaw", which is a real destructive action rather than passive validation. Because the regex is broad and the skill is framed as a validator/HA guardian, this creates unnecessary denial-of-service risk and can terminate unintended matching processes during testing.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The validator invokes an external snapshot script when a backup is missing, which changes system state instead of only validating it. That expands the script from verification into remediation/modification, making behavior less predictable and increasing the risk of unintended file creation or operational side effects.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The comments describe a dry-run rollback check, but the overall script has already performed a real kill operation and may execute a real snapshot script. This mismatch is dangerous because operators may trust the script as non-invasive and run it in production, leading to unexpected disruption or state changes.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The manual describes destructive cleanup actions including destroying unresponsive sessions and automatically applying security fixes, but it does not clearly warn operators that these actions can terminate active work, remove recoverable state, or introduce unintended configuration changes. In an autonomous HA/self-healing context, such cleanup is more dangerous because readers may implement it as unattended automation, increasing the chance of silent data loss or operational disruption.

Missing User Warnings

High
Confidence
97% confidence
Finding
This section documents a cascading recovery chain that includes kill -9, forced restart, rollback, reinstall, and full restore without a consolidated warning about downtime, irreversible state changes, or possible restoration of stale/incorrect data. In a system-guardian skill, these steps are especially risky because they are framed as routine self-healing behavior, which can encourage blind automation of highly destructive recovery operations.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documented rsync command uses --delete, which can remove files from the mirror destination to match the source, but the manual does not explicitly warn that destination data may be deleted. In backup/mirror procedures this is dangerous because operators may assume the target is only appended to, leading to accidental loss of data kept only on the mirror side.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README promotes automated "system optimization" and recovery behavior that can alter system state, restart services, clear locks, and perform repairs, but it does not clearly warn users about possible side effects such as interrupted workloads, changed configuration, or data loss. In an HA/system-management skill, normalizing destructive maintenance without explicit safety caveats increases the chance of unsafe deployment and unintended damage.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Describing "session purging" without explicitly stating that user sessions, history, or cached state may be deleted is unsafe because users may enable the skill expecting harmless cleanup. Given this is positioned as automated nightly maintenance, the omission materially increases the risk of silent data loss or disruption to active workflows.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Advertising MD5-verified configuration rollback from a "shadow vault" without warning that current user configuration may be overwritten is dangerous in a system-administration context. Users may lose intentional local changes or reintroduce insecure/incorrect prior states, especially if rollback is automated during recovery.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill omits a clear warning that it runs persistently and performs automatic repair, cleanup, and potentially disruptive actions in the background. In this context, the lack of disclosure materially increases risk because users may not realize that processes can be restarted, data can be pruned, or system state can change autonomously on a schedule.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The guide describes destructive maintenance operations such as forcibly fixing configuration, destroying stale session locks, and changing file permissions without any user-facing warning, confirmation, backup guidance, or scope limits. In an HA/automation skill, undocumented destructive actions are risky because operators or downstream agents may treat them as safe routine maintenance and unintentionally delete state or disrupt active workflows.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill documents automatic rollback from `/vault` and physical overwrite of `openclaw.json`, plus a reset/reinstallation path, but provides no warning that existing configuration may be replaced or lost. In a self-healing system this is more dangerous because overwrite behavior may be triggered during incident conditions, causing silent configuration loss, rollback to stale settings, or restoration of unsafe parameters.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The document explicitly instructs operators to perform destructive recovery actions such as fully uninstalling OpenClaw, clearing all npm/pnpm caches, and reinstalling the kernel, but it does so without any prominent warning about service interruption, configuration loss, or data loss. In operational documentation for a self-healing system, this creates a realistic risk that an administrator will execute high-impact steps prematurely or without backups, causing avoidable outage or irreversible loss.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The document includes a one-click termination script that unregisters services, kills processes, and deletes logs/cache, but it does not present an explicit safety warning, confirmation step, backup guidance, or scope limitation. In an agent skill for HA/self-healing infrastructure, such instructions are more dangerous because operators may execute them during incidents under time pressure, increasing the chance of accidental service disruption, loss of forensic logs, or destruction of troubleshooting state.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.