Security audit

Agent Create Config

Security checks across malware telemetry and agentic risk

Overview

This is a coherent OpenClaw agent setup guide, but it includes secret handling, account binding, service restarts, and weak confirmation boundaries that users should review carefully.

Install only if you specifically want an OpenClaw agent provisioning workflow. Review each filesystem/config change before it runs, keep Feishu tokens and app secrets out of chat and shell history, verify account bindings manually, and approve any gateway restart only when service disruption is acceptable.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (5)

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The skill goes beyond generating an agent config and explicitly instructs users to set Feishu bot tokens, app secrets, and per-agent account bindings. That expands the skill into credential handling and account orchestration, which increases blast radius and can lead to secret exposure, misbinding of identities, or unauthorized channel access if followed blindly.

Context-Inappropriate Capability

Medium

Confidence: 86% confidence
Finding: The documented process includes restarting the OpenClaw Gateway service as part of normal agent creation. Service-management actions can disrupt running workloads, affect other agents, and create an unnecessary operational side effect outside the narrow scope of creating configuration files.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The trigger condition is broad enough that ordinary user requests about creating an agent or robot could activate this skill unintentionally. In an orchestration environment, accidental activation can cause the system to gather sensitive configuration details or initiate workspace/config changes when the user did not explicitly intend to run this workflow.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The example '当用户说"创建一个 xxx Agent"时' provides an ambiguous activation rule without boundaries, so the skill may run on conversational mentions rather than deliberate invocation. This increases the risk of unintended task execution, especially because the workflow includes creating files, modifying openclaw.json, and coordinating another agent to perform implementation steps.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The markdown directs file creation, potential deletion behavior, and later secret configuration without prominently warning about filesystem changes, overwrites, or security implications. In an agent context, this can normalize making persistent system modifications without informed user consent, increasing the risk of unintended data loss or unsafe execution.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.