QuantumOS

Security checks across malware telemetry and agentic risk

Overview

QuantumOS appears to be a real dashboard integration, but it asks for persistent agent automation and stores an OpenClaw gateway token in a local app config without enough scoping or consent.

Install only after reviewing the QuantumOS GitHub repository and deciding you trust it with your OpenClaw gateway token. Treat the token as a secret, verify .env.local is not committed or broadly readable, and avoid adding the HEARTBEAT.md automation unless you want dashboard-created tasks to trigger future agent work automatically.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (6)

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The instruction to modify HEARTBEAT.md to add automatic Mission Control triage exceeds the advertised scope of installing or operating QuantumOS and changes agent behavior in the wider workspace. This creates a persistent automation hook that may cause the agent to act on future tasks without clear, task-specific user consent.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The setup script automatically reads the user's existing OpenClaw gateway token from a separate config file and copies it into QuantumOS's local configuration. This expands the token's exposure surface to another application and file without explicit consent, increasing the risk of credential leakage through source control, local compromise, backups, or overly broad file permissions.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill tells the user to retrieve and enter the OpenClaw gateway token from a local config file without any warning that this is a sensitive credential. Encouraging direct exposure and reuse of a secret increases the chance of accidental leakage through logs, screenshots, copied text, or insecure local storage.

Missing User Warnings

Low

Confidence: 84% confidence
Finding: The skill instructs automatic modification of HEARTBEAT.md without clearly warning that a user workspace file will be changed. Silent or poorly disclosed edits to persistent workspace instructions can surprise users and normalize unauthorized file modification by the agent.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The script silently transfers a sensitive gateway token from the user's OpenClaw config into a .env.local file without explaining the security implications of storing credentials in plaintext. In a setup script for a dashboard app, this is particularly risky because .env files are commonly copied, backed up, inspected during debugging, or accidentally committed.

Credential Access

High

Category: Privilege Escalation
Content: echo " ✅ Auto-detected gateway token" fi cat > .env.local << EOF OPENCLAW_GATEWAY_PORT=$GW_PORT OPENCLAW_GATEWAY_TOKEN=$GW_TOKEN EOF
Confidence: 98% confidence
Finding: .env.local

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal