OpenClaw Helper

Security checks across malware telemetry and agentic risk

Overview

This is a deployment cheat sheet for OpenClaw; its root SSH and credential-setting commands are powerful but visible and directly tied to that purpose.

Install only if you administer the target OpenClaw server. Before using the commands, confirm the IP and environment, avoid exposing secrets in shared terminals or logs, quote substituted values safely, and expect configuration changes plus a gateway restart on the remote host.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill provides ready-to-run commands that write live secrets (API keys, App Secret) into a remote host configuration and restart a production-relevant service, but it does not warn users about secret exposure, shell history leakage, least-privilege handling, or the operational risk of modifying a live system. In a troubleshooting/deployment skill, this is contextually expected behavior, but the absence of safety guidance still creates a real risk of credential mishandling and unintended service disruption.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal