Back to skill

Security audit

Openclaw Tokenapi Qiehuan Skills

Security checks across malware telemetry and agentic risk

Overview

This model switcher is mostly purpose-aligned, but it can expose/store API keys and change security-related OpenClaw settings through an unauthenticated local web API.

Install only if you are comfortable with a local web service that can read and write OpenClaw model configuration, handle provider API keys, restart the gateway, and change advanced agent/tool settings. Before use, prefer adding authentication or origin checks, redacting API keys from read responses, and requiring explicit confirmation before switching, deleting, restarting, or changing security-related settings.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (7)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def _execute_command(command: str) -> Tuple[bool, str]:
        """执行命令并返回结果"""
        try:
            result = subprocess.run(
                command,
                shell=True,
                capture_output=True,
Confidence
95% confidence
Finding
result = subprocess.run( command, shell=True, capture_output=True, text=True, encoding='utf-8',

subprocess module call

Medium
Category
Dangerous Code Execution
Content
startupinfo = subprocess.STARTUPINFO()
            startupinfo.dwFlags |= subprocess.STARTF_USESHOWWINDOW
            startupinfo.wShowWindow = subprocess.SW_HIDE
            subprocess.Popen(
                f'"{gateway_cmd}"',
                shell=True,
                startupinfo=startupinfo,
Confidence
84% confidence
Finding
subprocess.Popen( f'"{gateway_cmd}"', shell=True, startupinfo=startupinfo, cwd=openclaw_home )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
script_path = os.path.join(project_root, "tools", "restart_gateway.bat")

        try:
            subprocess.Popen([script_path], shell=True)
            GatewayController._log(f"Restart script executed: {script_path}")
            return True, "已打开 PowerShell 窗口执行重启命令"
        except Exception as e:
Confidence
80% confidence
Finding
subprocess.Popen([script_path], shell=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# 启动 gateway
    gateway_cmd = os.path.join(os.path.expanduser("~"), ".openclaw", "gateway.cmd")
    if os.path.exists(gateway_cmd):
        subprocess.Popen(f'"{gateway_cmd}"', shell=True, creationflags=0x08000000)
        print("✓ Gateway 重启完成")
    else:
        print(f"! Gateway 启动脚本不存在: {gateway_cmd}")
Confidence
88% confidence
Finding
subprocess.Popen(f'"{gateway_cmd}"', shell=True, creationflags=0x08000000)

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The GET /provider/{provider_id} endpoint returns the full stored provider configuration, including the API key, to any caller that can reach the route. Exposing decrypted secrets over a read endpoint materially increases credential theft risk through unauthorized access, browser/client logging, proxy logs, and accidental disclosure; the misleading docstring also raises the chance developers will treat the response as safe.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger phrases are broad and overlap with ordinary conversation such as '切换模型' or '换个模型', which can cause unintended activation. In this skill, accidental activation is more dangerous because activation can lead to modifying local configuration and restarting services, affecting system state without an explicit high-friction confirmation step.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation states that the skill can directly modify ~/.openclaw/openclaw.json and restart services, but it does not prominently warn users about these side effects or require explicit consent. This is risky because configuration changes and gateway restarts can disrupt active workflows, break connectivity, or switch providers unexpectedly, especially when combined with the broad triggers described earlier.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.