ClawDoctor

Security checks across malware telemetry and agentic risk

Overview

ClawDoctor has a legitimate cost-analysis purpose, but it can read private session transcripts and make live fleet configuration changes from broad conversational approvals.

Install only if you are comfortable with this skill reading recent OpenClaw transcripts, saving local cost-analysis state, and potentially changing live agent configuration. Before approving any fix, require the exact affected agents, patch payload, expected savings, and rollback steps; avoid broad approvals like 'sure' or 'do all of them' on production fleets.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (9)

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The skill is presented as a behavioral cost-analysis/reporting tool, but it also accepts follow-up language to apply live fleet configuration changes. That expands it from advisory analytics into an operational actor with write access, creating a privilege/scope mismatch that can surprise users and enable unsafe changes from a reporting context.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: Directly invoking config.patch is powerful and can alter agent behavior, schedules, models, or other fleet settings. For a skill whose stated purpose is cost coaching, this is unjustified authority concentration and increases the blast radius if the skill misinterprets user intent, is prompt-injected, or produces an incorrect fix payload.

Intent-Code Divergence

High

Confidence: 95% confidence
Finding: The skill explicitly declares it is 'ONLY a cost analyst' and later instructs itself to perform operational fixes. This contradiction is dangerous because users and operators may trust it as read-only analysis when it actually has write behavior, undermining informed consent and increasing the chance of unsafe autonomous changes.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The file documents concrete `config.patch` commands and payloads to modify live fleet configuration, which goes beyond the stated behavior of a coaching/analytics skill. If the agent follows this guidance, it could make unauthorized operational changes such as downgrading models, altering timeouts, or modifying prompts, creating integrity and change-control risks.

Description-Behavior Mismatch

Low

Confidence: 88% confidence
Finding: The documentation requires writing persistent state files after every report and run, which exceeds a purely analytical/coaching role and introduces unadvertised statefulness. Persistent writes can leak operational metadata, create unintended retention of sensitive usage information, and surprise users who expect a read-only analysis tool.

Vague Triggers

Medium

Confidence: 96% confidence
Finding: Natural-language triggers like 'yeah do that', 'sure', or 'fix the model thing' are ambiguous and can easily match ordinary conversation. In a skill that can call config.patch, this creates a real risk of unintended or mis-targeted changes based on vague acknowledgements rather than explicit, auditable authorization.

Missing User Warnings

High

Confidence: 93% confidence
Finding: The skill mandates fetching chat histories for top sessions, which can expose sensitive transcript contents, but it does not prominently warn users that it will read potentially private session data. This is a privacy and consent issue, especially because transcript analysis is mandatory and broad across multiple sessions.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill writes memory files and can later apply configuration changes, but the user-facing description does not clearly warn that it performs persistent local writes and system modifications. Hidden statefulness and modification behavior can mislead users about side effects and complicate auditability or rollback.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill instructs persistent local storage of analysis outputs without any warning or consent language, which is a privacy and transparency issue. The stored files include fleet grades, cost data, issue summaries, timestamps, and agent identifiers, all of which may be sensitive operational telemetry if accessed by other processes or users.

VirusTotal

50/50 vendors flagged this skill as clean.

View on VirusTotal