Back to skill

Security audit

OpenClaw Deploy Guide

Security checks across malware telemetry and agentic risk

Overview

This is a transparent OpenClaw deployment guide that makes significant local changes only as part of its stated setup purpose and with user confirmation steps.

Install this only if you want an agent-assisted OpenClaw setup. Review each command before approving it, choose only needed components, keep qmd collections pointed at intended non-secret folders, verify third-party repositories and packages, and record any cron jobs, shell rc edits, OpenClaw config changes, or WeChat permissions you enable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README explicitly states that the skill will install components, clone repositories, modify `openclaw.json`, restart services, and add cron jobs, but it does not clearly warn users up front that running the skill will make persistent system and configuration changes. In a deployment skill, this omission can cause users to authorize actions without fully understanding the scope of local impact, increasing the risk of unintended configuration drift, persistence mechanisms, or installation of additional software.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger phrase '帮我部署 OpenClaw 本地能力' is broad enough to overlap with ordinary user requests for setup help, which can cause the skill to activate unexpectedly. In this skill's context, unexpected activation is more dangerous because the documented behavior includes checking dependencies, cloning repositories, installing packages, modifying configuration, and adding cron jobs, so an accidental match could lead to meaningful system changes.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger phrases are broad enough to match generic setup requests, which can cause this deployment skill to activate in situations where the user did not intend to run a high-impact installer. In context, this skill contains commands that install software, modify config files, create directories, and register cron jobs, so accidental invocation meaningfully increases risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This section instructs the user to append environment-variable exports to shell startup files without a prominent warning that this creates persistent changes affecting future sessions. Persistent shell modifications can have unintended side effects, especially if the provided path is wrong or later becomes unsafe.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill creates directories and writes a new MEMORY.md file in the user's workspace but does not clearly warn that files and structure will be created or that existing content may be affected. In a deployment skill, silent filesystem mutation is risky because users may assume it is read-only guidance rather than state-changing setup.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.