ClawHub
Back to skill

Security audit

OpenClaw Multi-Instance

Security checks across malware telemetry and agentic risk

Overview

This skill is meant to connect multiple OpenClaw machines, but it asks users to create durable cross-machine control and sync sensitive identity, memory, and tool files with limited safeguards.

Install only if you control and fully trust every OpenClaw instance involved. Before use, review exactly which hosts, tokens, SSH keys, files, and cron jobs will be used; avoid syncing TOOLS.md or other secret-bearing files unless manually checked; prefer private networking, scoped credentials, backups, and explicit confirmation before remote execution or memory synchronization.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
81% confidence
Finding
The skill instructs users/agents to read and write local files such as SSH keys, identity files, memory stores, and configuration, but it does not declare corresponding permissions. Undeclared file capabilities reduce transparency and can cause the skill to be invoked in contexts where operators do not realize it will access or modify sensitive state.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The guide instructs retrieval and use of the remote instance's gateway token, which the document itself acknowledges provides complete control. That creates an overprivileged trust channel between instances; compromise of one instance, transcript, or config leaks a credential that can fully operate the peer.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
Appending keys to authorized_keys establishes persistent passwordless shell access, which is far broader than simple message relay or file sync. If the local or remote agent is compromised, the attacker gains durable lateral movement and arbitrary command execution on the peer host.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README promotes automatic cross-machine memory sharing and merging as a feature, but it does not clearly explain that user conversations, preferences, secrets, or other sensitive context may be replicated to additional hosts. In a multi-instance agent system, this expands the trust boundary and can unintentionally expose private data to less secure machines or administrators of those machines.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documented workflow normalizes copying files to other machines and remotely executing deployment actions, but the README does not prominently warn that this can move sensitive files across trust boundaries and trigger powerful remote operations. If a user misconfigures peers or misunderstands scope, this can lead to unauthorized data transfer or command execution on production systems.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger list includes broad natural-language phrases like '另一台服务器' and '同步记忆', which could accidentally activate a high-risk skill during ordinary conversation. Because this skill enables remote access and synchronization of sensitive state, accidental invocation materially increases the chance of unintended data transfer or credential setup.

Ssd 3

Medium
Confidence
90% confidence
Finding
Sharing and merging agent 'memory' and configuration across instances can replicate sensitive prompts, credentials, operational details, and personal context between systems. Because the README frames this as seamless and '无感知', users may underestimate the security and privacy consequences of broad context propagation.

Ssd 3

Medium
Confidence
86% confidence
Finding
The example encourages retrieving remote log files and displaying their contents via natural-language requests, which can surface secrets, tokens, request metadata, or user information contained in logs. In an agentic system, making this workflow easy and conversational increases the chance of oversharing sensitive operational data to the wrong interface or user.

Ssd 3

High
Confidence
95% confidence
Finding
The setup steps explicitly instruct transferring identity and memory files to another machine, which can expose credentials, trust material, and sensitive accumulated context to any compromise of that peer. This is especially dangerous because identity files often underpin authentication, and copying them broadens the blast radius far beyond simple data sync.

Ssd 3

High
Confidence
98% confidence
Finding
The skill directs copying and continual merging of IDENTITY.md, SOUL.md, USER.md, MEMORY.md, TOOLS.md, AGENTS.md, and memory/ between instances. These files can contain secrets, personal data, prompts, tool credentials, and operational context, creating a built-in channel for large-scale data leakage and cross-instance contamination.

External Transmission

Medium
Category
Data Exfiltration
Content
然后重启 Gateway:`openclaw gateway restart`

**验证**:用 curl 测试:
```bash
curl -sS http://<远程IP>:<端口>/v1/chat/completions \
  -H 'Authorization: Bearer <TOKEN>' \
Confidence
87% confidence
Finding
curl 测试: ```bash curl -sS http://<远程IP>:<端口>/v1/chat/completions \ -H 'Authorization: Bearer <TOKEN>' \ -H 'Content-Type: application/json' \ -d

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.