ClawHub

ohmyopenclaw

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real OpenClaw setup guide, but it enables autonomous background agents, persistent memory, external notifications, and broad configuration changes that users should review carefully.

Install only if you intentionally want OpenClaw reconfigured for autonomous multi-agent operation. Before applying the agent-swarm or monitor guides, review the generated openclaw.json and AGENTS.md changes, keep cron/heartbeat/autoSpawn disabled until needed, require human review for worker code changes, protect any API keys in ~/.openclaw/.env, and verify webhook destinations and provider-routing privacy implications.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (18)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The guide is framed as configuration/setup documentation, but it includes behavioral instructions for autonomous orchestration, delegation, monitoring, and recovery logic. That expands the skill from passive setup into active agent control, which can cause unattended actions and surprise task execution in a user workspace.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The 'Proactive Work' section explicitly instructs scanning for TODOs, checking open issues, and spawning agents autonomously, which introduces self-directed task discovery beyond normal setup. In an agent skill, this is risky because it authorizes broad, potentially unbounded actions without a direct user request for each task.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The guide explicitly enables autonomous monitoring, task discovery, agent spawning, and auto-recovery loops. In an agent skill, these capabilities materially expand behavior from passive setup guidance into unattended operation that can initiate actions without fresh user approval, increasing the risk of unintended changes or abuse if the monitored inputs are attacker-controlled.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The document adds outbound notification and callback behavior, which introduces data egress paths beyond basic local configuration. Even as examples, webhook integrations can leak project metadata, error contents, or task details to third parties if enabled without strict review.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
Directing the agent to scan GitHub issues and stale PRs broadens the skill into repository monitoring and workflow management, which exceeds simple OpenClaw setup. This increases exposure to untrusted remote content and can trigger automated actions based on externally supplied text or issue state.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The guide recommends autonomous bug fixing via spawned workers that can modify code and close tasks. This is dangerous because it couples monitoring with code changes, allowing unattended edits based on logs, TODOs, or inferred failures, which can introduce defects, security regressions, or malicious prompt-influenced modifications.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill explicitly states that guides can be read and applied automatically, which implies the agent may make configuration changes without clearly warning users that files or system settings could be modified. In an agent-skill context, that omission increases the risk of unintended or unsafe execution because users may treat the documentation as low-risk guidance rather than automation with side effects.

Missing User Warnings

High
Confidence
98% confidence
Finding
The installation instructions include shell and PowerShell one-liners that fetch and immediately execute remote content, which is a well-known high-risk pattern. If the remote endpoint is compromised, changed, or intercepted, users could run arbitrary code on their machine without reviewing it first.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The workflow says the AI will execute configuration changes, verify setup, and update workspace files, but it does not present explicit safeguards, approval gates, or warnings about potentially destructive actions. In a skill intended for automatic application, this can normalize autonomous command execution and file modification beyond what users expect.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The guide index promotes a monitoring guide that configures cron jobs, proactive scanning, and autonomous task discovery, but it does not warn users that these features may run continuously or make system-affecting changes. In an AI setup skill, this omission is risky because users may apply the guide expecting passive assistance while instead enabling background automation with persistence and broader operational impact.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The guide instructs creating persistent directories under ~/.openclaw/workspace without warning that it modifies local state. In a setup skill, silent filesystem changes can surprise users, persist across sessions, and create artifacts later used by automated workflows.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The added AGENTS.md content enables heartbeat-based monitoring, failed-task recovery, and new work discovery, but the guide does not clearly warn users that this turns on automated system behavior. This increases the chance of background actions occurring without informed consent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The guide instructs users to place multiple live API credentials in a local .env file but provides no warning about secret handling, file permissions, accidental commits, shell history exposure, or rotation. In a setup guide, this omission can lead to credential leakage through source control, backups, shared machines, or copied support bundles.

Natural-Language Policy Violations

Medium
Confidence
82% confidence
Finding
The routing rule automatically sends Chinese-language user requests to Chinese providers without explicit user consent or a privacy choice. This can cause unintentional cross-provider data transfer based solely on language, which is risky when prompts may contain sensitive business, personal, or regulated information.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The guide explicitly enables persistent storage and semantic indexing of past conversations, decisions, and knowledge across sessions, but it does not warn users that potentially sensitive prompts, decisions, or secrets may be retained and made retrievable later. This creates a real privacy and data-retention risk, especially in environments where users may discuss credentials, internal architecture, or regulated data with the assistant.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The guide states that it will modify openclaw.json, MEMORY.md, AGENTS.md, and archive content, and later describes automatic updates during memory flush, but it does not clearly warn users that workspace files will be created or overwritten as part of the setup. Silent or insufficiently disclosed file writes can unexpectedly alter project state, leak data into tracked files, or persist agent-generated content where users did not intend it.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The guide states it will modify configuration and workspace files and create monitoring state, but does not prominently warn about operational impact such as persistent background activity, task creation, log scanning, or automated recovery. Users may enable behavior with side effects they do not fully understand.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Webhook and notification features are presented without a privacy or data handling warning. Error logs, task metadata, and repository information may contain sensitive content, and sending them externally can create confidentiality and compliance risks.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal