Openclaw Security Guard

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate local security tool, but users should review it because its dashboard privacy claims and some file-changing commands are under-controlled.

Install only if you are comfortable with a local security tool that can read OpenClaw/workspace files and, when asked, modify OpenClaw config or Git hooks. Run audit and dry-run modes first, review backups and diffs manually, avoid relying on its dependency scanner as a real CVE audit, and be aware the dashboard loads third-party CDN scripts despite the zero-network privacy claim.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 87% confidence
Finding: The skill advertises operational capabilities that imply shell execution and network use, but it declares no corresponding permissions or trust boundaries. This creates a transparency and consent problem: users or host platforms may permit installation under the assumption of lower privilege while the package can still spawn processes, open sockets, or connect to services during audit/dashboard operations.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 93% confidence
Finding: The skill description materially understates behavior by framing the tool as a zero-telemetry security scanner while it also modifies configuration, manages git hooks, launches an authenticated dashboard server, opens a browser, and connects over WebSocket for live monitoring. That mismatch is dangerous because users may install a supposedly passive auditing tool without realizing it has active change-making and network-exposed components, increasing the risk of unintended config changes, local service exposure, and broader attack surface.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The module performs state-changing writes to the project's `openclaw.json` even though the skill is described as an audit CLI/dashboard, creating a mismatch between expected read-only behavior and actual mutation. In security tooling, unexpected auto-remediation is risky because a caller may pass issue objects with arbitrary `autoFix` functions that can rewrite configuration in ways the user did not review.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The implementation trusts `issue.autoFix(config)` from each issue object and replaces the whole config with whatever that callback returns, so the hardener can act as a generic arbitrary configuration rewriter rather than a bounded security fixer. In the context of a security skill, this is more dangerous because users are likely to trust its changes, allowing unsafe defaults, disabled protections, or attacker-influenced settings to be silently persisted.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The `fix` command is documented as automatically fixing security issues and includes an `--auto` mode, but the docs do not prominently warn that it will modify repository files. In a security-focused CLI, users may trust recommended commands and unintentionally trigger bulk changes, which can alter code, configuration, or secrets handling in ways that are hard to review if the modification risk is under-emphasized.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The `hooks install` action writes a new executable `.git/hooks/pre-commit` script immediately, with no confirmation prompt or warning that repository behavior will be modified. In a developer environment, silently altering Git hook execution can surprise users, interfere with existing hooks, or be abused as a persistence/control mechanism if users invoke the command without understanding its effects.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The `hooks uninstall` action deletes `.git/hooks/pre-commit` without confirmation and without checking whether the hook was created by this tool. This can remove unrelated repository protections or custom developer workflows, causing integrity and operational issues.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The code overwrites `openclaw.json` directly with no confirmation, no diff, no backup, and no transactional safety checks, so a mistaken or malicious fix can silently destroy or weaken the active configuration. Because this is framed as security hardening, users may run it in production-like environments and trust it more than ordinary tooling, increasing the chance of harmful unattended changes.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal