ClawDoctor

Security checks across malware telemetry and agentic risk

Overview

ClawDoctor matches its health-monitoring purpose, but its repair features can stop services, kill processes, edit configuration, delete logs, and expose those actions through unauthenticated local web endpoints without enough user control.

Install only if you are comfortable with a local maintenance tool that can alter OpenClaw state. Use status and scan modes first, back up ~/.openclaw/openclaw.json, avoid one-click fixes on production systems without reviewing the code, and do not expose the dashboard or repair API beyond trusted local use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (26)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: if issue == "gateway_start_failed": try: # 尝试重启 Gateway subprocess.run(["pkill", "-f", "openclaw-gateway"], check=False) time.sleep(2) subprocess.run( ["launchctl", "bootstrap", "gui/$UID",
Confidence: 84% confidence
Finding: subprocess.run(["pkill", "-f", "openclaw-gateway"], check=False)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: # 尝试重启 Gateway subprocess.run(["pkill", "-f", "openclaw-gateway"], check=False) time.sleep(2) subprocess.run( ["launchctl", "bootstrap", "gui/$UID", "~/Library/LaunchAgents/ai.openclaw.gateway.plist"], check=False, shell=True
Confidence: 98% confidence
Finding: subprocess.run( ["launchctl", "bootstrap", "gui/$UID", "~/Library/LaunchAgents/ai.openclaw.gateway.plist"],

subprocess module call

Medium

Category: Dangerous Code Execution
Content: def restart_gateway(self): try: print(" 🔧 正在自动修复: 重启 Gateway...") subprocess.run(["pkill", "-f", "openclaw-gateway"], capture_output=True, check=False) time.sleep(2) subprocess.run(["launchctl", "start", "ai.openclaw.gateway"], capture_output=True) time.sleep(3)
Confidence: 86% confidence
Finding: subprocess.run(["pkill", "-f", "openclaw-gateway"], capture_output=True, check=False)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: try: # 1. 停止现有 Gateway subprocess.run(["openclaw", "gateway", "stop"], capture_output=True) time.sleep(2) fixes.append("停止现有 Gateway")
Confidence: 88% confidence
Finding: subprocess.run(["openclaw", "gateway", "stop"], capture_output=True)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: time.sleep(1) # 3. 重新启动 Gateway result = subprocess.run( ["openclaw", "gateway", "start"], capture_output=True, text=True )
Confidence: 87% confidence
Finding: result = subprocess.run( ["openclaw", "gateway", "start"], capture_output=True, text=True )

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The CLI presents monitor mode as health monitoring, but the implementation also performs automatic repair by stopping and restarting services when the gateway is not 'running'. This mismatch is dangerous because users may invoke a seemingly observational mode that actually makes disruptive system changes.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The category-specific repair buttons imply that real remediation actions are being performed, but the implementation only waits briefly and then displays a hardcoded success message. This is dangerous because operators may believe issues were fixed when no backend action occurred, leading to prolonged exposure, failed incident response, or unsafe system state.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The README prominently advertises automatic repair and installation capabilities but does not warn users that these actions may modify system state, restart services, or change configurations. In an agent-skill context, encouraging one-click remediation without describing scope, side effects, or rollback options can mislead users into running impactful operations they do not fully understand.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The README instructs users to execute a local shell script directly (`./install.sh`) without any explanation of what it does or any safety precautions. This is dangerous because installation scripts can perform arbitrary privileged actions, and in a skill-distribution setting users may copy-paste the command without reviewing the script contents first.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: Documenting a `--fix` command as a one-click repair action without clarifying what it changes creates risk of unintended or irreversible modifications. In a system-monitoring/fixer skill, this context increases danger because users are explicitly encouraged to let the tool alter system state to resolve issues.

Missing User Warnings

Low

Confidence: 76% confidence
Finding: The README tells users to start a web server and references a local dashboard but does not state the bind address, authentication model, or whether any data is exposed. Even though the example URL is localhost, failing to document network exposure and privacy considerations can lead to unsafe deployment assumptions if the server configuration changes or is proxied.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The README prominently advertises 'one-click repair' and automatic fixing capabilities without any warning that these actions may change system state, configuration, or installed components. In an agent-skill context, this can mislead users into triggering privileged or destructive modifications without informed consent, increasing the chance of accidental damage or unsafe execution.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The usage section gives a direct command for '--fix' with no caution about side effects, rollback limitations, or required privileges. Because users often copy-paste README commands verbatim, this omission raises the risk of unintended environment changes, service disruption, or unsafe automated remediation on production-like systems.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill explicitly advertises a 'one-click repair' capability but provides no warning about what files, services, or configurations it may change. In a system-management skill, this can mislead users into executing privileged or destructive actions without informed consent, increasing the risk of unsafe modifications to system or skill files.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill performs automatic process termination and restart with no warning, consent, or review step. In an autonomous agent setting, self-triggered remediation that alters running services is risky because false positives or local interference can cause repeated service disruption or unintended state changes.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The agent performs automatic process termination and restart without explicit user approval, dry-run mode, or strong warnings. In skill/agent contexts, autonomous remediation increases danger because it can unexpectedly disrupt local services or repeatedly interfere with system state.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The monitoring loop automatically triggers gateway repair whenever status is abnormal, with no confirmation or safety interlock. In an agent skill context, autonomous process termination and restart behavior increases the risk of accidental denial of service, cascading failures, and unsafe interference with a live environment.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The one-click fix path stops the gateway, terminates matching processes, and restarts the service without warning the user about disruption or validating that these actions are safe. This can cause unintended downtime and kill unrelated processes whose names happen to match the coarse selection logic.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The one-click fix path terminates any process bound to port 18789 and also kills processes whose command line contains 'openclaw-gateway', without explicit confirmation or ownership checks. In a privileged execution context, this can disrupt unrelated local services or terminate the wrong process, causing avoidable denial of service and unsafe administrative side effects.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The fix routine silently rewrites ~/.openclaw/openclaw.json, adding defaults and saving the file after only basic JSON parsing. Although it creates a backup, unprompted configuration mutation can alter security-sensitive behavior, break deployments, or weaken existing settings if the tool is run in an automated or trusted-maintenance context.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The log-fixing routine deletes large .log files automatically from multiple directories without explicit warning, retention policy checks, or truncation/rotation safeguards. This can destroy forensic evidence, remove audit trails, and impair incident response, especially because one-click fix bundles this destructive behavior with other maintenance actions.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The one-click fix button directly triggers a POST request to a backend fix endpoint without confirmation, scope disclosure, or warning about system modifications. In a health-monitoring and repair dashboard, that can cause unintended configuration or service changes from an accidental click or from a user who does not understand the consequences.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The installer unconditionally appends a PATH modification to both ~/.zshrc and ~/.bashrc without informing the user or checking whether the entry already exists. This creates persistent changes to the user's shell environment and can lead to duplicate entries or unintended execution precedence for programs placed in ~/.local/bin.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The POST endpoints expose sensitive repair operations such as fix_all(), fix_gateway(), and fix_config() with no authentication, authorization, CSRF protection, or confirmation step. Even though the server binds to 127.0.0.1, any local process or a malicious webpage can potentially trigger these state-changing actions because CORS is set to '*' and the API performs the action immediately on receipt.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The POST /api/fix* endpoints trigger state-changing remediation actions with no authentication, authorization, confirmation step, or CSRF protection. Even though the server binds to 127.0.0.1, any local process or a malicious website via the wildcard CORS policy could potentially induce a user's machine to invoke these destructive operations, leading to unauthorized configuration changes or service disruption.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal