OpenClaw Logfire

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Logfire observability plugin, but it can send sensitive agent telemetry such as tool arguments to Logfire by default.

Install only if you are comfortable sending OpenClaw traces and metrics to Pydantic Logfire. For sensitive environments, consider setting captureToolInput to false, keep captureToolOutput and captureMessageContent disabled unless needed, leave distributed tracing off or restrict urlPatterns to trusted services, and keep LOGFIRE_TOKEN in a secret store rather than source-controlled config.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (14)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 85% confidence
Finding: The skill documentation indicates access to environment variables (`LOGFIRE_TOKEN`) and traces shell-tool activity (`execute_tool exec`), but the metadata declares only environment requirements and no explicit permissions model for those capabilities. This mismatch can lead operators to install the skill without understanding that sensitive execution metadata and tool arguments may be collected and exported to an external observability service, increasing the risk of unintended data exposure.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The file is a deployment and integration plan for a powerful multi-agent automation system, not a Logfire observability skill. This scope mismatch is dangerous because it can smuggle high-risk operational capabilities into a package whose manifest suggests low-risk telemetry/observability behavior, undermining review, approval, and least-privilege expectations.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The documented scope includes messaging control, workflow approvals, shared-memory writes, SaaS integrations, webhook ingress, and subprocess coding delegation, all far beyond what an observability skill should need. If accepted under the current manifest, reviewers may grant access to external systems and execution features without understanding the real blast radius, enabling data access, action execution, and lateral movement across business systems.

Intent-Code Divergence

Medium

Confidence: 88% confidence
Finding: The document presents the chief-of-staff agent as read-only while simultaneously granting exec and instructing it to persist cross-system memory. This inconsistency creates a misleading security model: operators may assume the agent cannot modify state, while it can in fact execute commands and trigger durable writes through tools and remote APIs.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The changelog explicitly advertises collection of sensitive observability data including tool arguments, message content, workspace identifiers, and inbound webhook trace headers, but provides no user-facing warning or consent language about the privacy implications. In an agent environment, these fields can contain secrets, personal data, proprietary prompts, or internal system context, and forwarding them to external telemetry backends increases the risk of unintended data disclosure.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The README advertises capture of tool arguments, stack traces, channel/source metadata, and distributed tracing, but it does not prominently warn that these features can export sensitive operational data to Logfire or downstream services. In an agent environment, tool inputs and errors often contain secrets, filesystem paths, prompts, user content, and internal URLs, so understated disclosure can lead to inadvertent data leakage through observability pipelines.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The plan explicitly proposes attaching persistent identifiers like user_id, agent_id, and channel names to observability spans. In telemetry systems, these attributes are often broadly searchable, retained for long periods, and accessible across teams, which can create unnecessary exposure of user-linked activity and enable correlation of behavior without a clear privacy control or minimization strategy.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The SSE tracing proposal adds user-linked metadata from streamed events, including agent_id and event_type, into spans for each received message. This increases the sensitivity of telemetry by turning runtime event flow into a searchable audit trail of individual user activity, and if expanded later to include payload details or statements, could further leak application data into observability backends.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The cron/proactive design grants ongoing access to email and calendar data and contemplates autonomous actions without clear user-facing notice, consent, or confirmation boundaries. This is dangerous because it normalizes silent monitoring and action on sensitive personal/business data, increasing the risk of privacy violations and unauthorized operations.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The shared-memory design directs agents to always persist significant business decisions and preferences into durable cross-system memory without a privacy warning or minimization policy. This creates long-lived, cross-context retention of sensitive organizational data that can be reused or exposed in future interactions and channels beyond the user's immediate expectation.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The manifest enables distributed tracing URL matching with a default wildcard of ["*"], which means trace context may be injected into commands targeting any URL once distributed tracing is turned on. That broad scope can leak correlation metadata to untrusted external endpoints and expands the blast radius of tracing beyond intended services, especially in an agent that may interact with arbitrary user-supplied URLs.

Missing User Warnings

Medium

Confidence: 81% confidence
Finding: The manifest states that tool call arguments are captured by default, but the description does not prominently warn that arguments may contain secrets, personal data, prompts, or other sensitive operational context. In an observability skill, tool inputs are especially sensitive because agents often pass credentials, file paths, user content, or request bodies through tool arguments, so silent capture increases the risk of data exposure to telemetry backends.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The skill explicitly tells the agent to always store user preferences, decisions, and cross-system context for later reuse, which is a persistent surveillance/data-retention behavior rather than a narrow task aid. In the context of a messaging and business automation agent, this increases the chance of overcollection, profiling, and resurfacing sensitive context in unrelated future conversations or channels.

Ssd 3

Medium

Confidence: 93% confidence
Finding: The cron prompts direct continuous monitoring of email, calendar, CRM, and campaign data, plus storage of findings in shared memory and delivery over Slack. Combined, this creates an always-on data aggregation and redistribution pipeline that can expose sensitive business information across systems and channels with limited user awareness.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal