OpenClaw Direct Setup

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real OpenClaw installer, but it makes broad system changes that are under-scoped and partly inconsistent with its safety claims.

Install only after reviewing setup.sh and being comfortable with global package installs, remote installer execution, extra skills, persistent local config, and background services. Consider declining the firewall step, avoid storing sensitive API keys in a broadly readable config file, and prefer a version that pins dependencies, verifies remote installers, and makes extra skills optional.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (10)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill advertises user-invocable installation behavior but does not declare permissions despite clearly involving shell execution and environment access. This creates a transparency and consent problem: users and platforms cannot accurately assess that invoking the skill will run install commands, modify global state, and start services.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The documented purpose understates the actual behavior by framing the skill as a simple OpenClaw installer while it also installs additional software, adds skills, may pull models, starts background services, may alter firewall settings, and opens a browser. This mismatch is dangerous because users may consent to one narrow action but actually authorize broader system changes and network-relevant behavior.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The installer claims to set up OpenClaw, but it also installs ClawHub and additional third-party skills that are not necessary for the stated core purpose. This expands the trust boundary and attack surface by fetching and installing extra code from external sources without clearly informing the user or requiring opt-in.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: Installing a 'pc-assistant' skill is not justified by a basic OpenClaw installer and may grant broader host-interaction capabilities than users expect. Bundling such a skill by default can introduce privileged local actions or surveillance-like functionality under the guise of a generic product install.

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: The script says it will add a firewall rule to block external access, but the firewalld branch uses '--add-port', which opens the port rather than denies it. This mismatch can directly undermine the advertised hardening and may expose the service externally if binding or other network assumptions change.

Missing User Warnings

Medium

Confidence: 81% confidence
Finding: The README instructs users to place an API key in a local config file but does not warn about file permissions, secret exposure, or safer alternatives such as environment variables or OS keychains. This can lead to inadvertent credential disclosure through world-readable files, backups, screen sharing, or accidental commits.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The quick-start instructions encourage one-click execution without clearly warning that the scripts perform global npm installs, create persistent config and workspace directories, start local services, and may change firewall configuration. That omission undermines informed consent and increases the chance that users execute impactful system changes they did not understand.

Missing User Warnings

High

Confidence: 99% confidence
Finding: Piping a remote script from curl directly into sh executes unaudited code from the network immediately on the user's machine. If the remote server, transport, DNS, or upstream content is compromised, the installer becomes a code-execution vector with the user's privileges.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The script performs global npm installs and remote skill installs that modify the user's system and toolchain without an explicit warning about those changes. Silent installation of persistent global packages and external skills increases supply-chain risk and can surprise users with additional executables and capabilities.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: Automatically starting background services and opening a browser changes system state and network exposure without prior user approval. While often intended for convenience, this behavior can mask unintended service startup, persistence-like effects during the session, and confusion about what is running.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal