ClawHub

Oc

Security checks across malware telemetry and agentic risk

Overview

This troubleshooting skill is mostly purpose-aligned, but it can make broad system changes with weak scoping and incomplete warnings.

Install only if you are comfortable with a troubleshooting skill that can alter your OpenClaw host. Prefer dry-run/check-only modes first, review every auto-fix before running it, avoid using --auto-fix on production systems, back up ~/.openclaw, and do not paste API keys or full diagnostic outputs into chats or tickets.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (60)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill advertises and invokes shell-based scripts that can read environment/configuration, inspect files, and modify local state, yet it declares no permissions or user-facing guardrails. This creates a trust and review gap: users and platforms cannot accurately assess that invoking the skill may access sensitive inputs or alter the filesystem.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The description frames the skill as diagnostic and recommendation-oriented, but the documented behavior includes installation, configuration generation, API key collection, cache refreshes, external network access, and direct file modification. That mismatch can mislead users into authorizing a much more powerful workflow than expected, increasing the chance of unintended system changes or sensitive-data handling.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The recipe includes forceful process-termination commands (`kill -9`, `taskkill /F`) inside a diagnostic/fix skill. Even if intended for troubleshooting, these are destructive actions that can terminate unrelated services if the `{port}` or PID resolution is wrong, causing denial of service or data loss.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill goes beyond diagnosis into installing/updating system software and globally modifying packages (`fnm install`, `npm install -g`, `npm update -g`). In a diagnostic context, this expands blast radius significantly because execution changes the host environment, may pull untrusted package versions, and can affect unrelated workloads.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Docker image pulls and sandbox/container reset operations are not purely diagnostic and can alter runtime state, download new code, or remove existing containers. In a troubleshooting skill, this creates avoidable supply-chain and availability risk if invoked automatically or without strong user awareness.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The disk cleanup recipe performs irreversible deletion of logs and Docker cleanup. For a diagnostic tool, removing logs can destroy forensic evidence needed for incident response or debugging, while Docker pruning may delete resources relied on by other applications.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The document claims '.env secrets' cannot be auto-fixed, yet it also documents fixes that read API keys from .env and create .env files from templates. This inconsistency can normalize automated secret handling and lead operators or downstream automation to move, expose, or overwrite credentials without sufficient review.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
The version lookup method expands the module's behavior beyond documentation fetching by executing local CLI and npm commands, which increases attack surface and surprises callers. In agent/skill contexts, seemingly harmless metadata collection can trigger external processes, network access, PATH-dependent execution, and unintended information disclosure about the local environment.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The command step executes attacker- or recipe-controlled commands with only placeholder substitution and no allowlist, validation, or user confirmation. In a diagnostic/fix engine, this creates a powerful arbitrary command execution primitive that can be abused to modify the system, exfiltrate data, or run destructive programs if step definitions or params are influenced by untrusted input.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The file operation step allows create, delete, and mkdir on arbitrary paths derived from step data and params, with no path restriction or safety boundary. This can be abused to overwrite or remove sensitive files, create persistence artifacts, or tamper with application and user data outside the intended OpenClaw workspace.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The helper generates a default configuration that binds the gateway to 0.0.0.0, uses a predictable token derived from Python's hash of the API key, stores the provider API key in the config, and sets sandboxMode to relaxed. In a setup helper for an agent platform, these insecure defaults materially increase exposure by making remote access easier and reducing containment if the agent is abused or compromised.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The setup wizard goes beyond passive diagnostics and recommendations by installing software, collecting provider API keys, generating configuration, and writing it to disk. In an agent-skill context, this is security-relevant because it expands the skill's effective authority and creates opportunities for unintended system modification or secret handling that are not justified by the stated 'doctor' purpose.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The code offers to install pnpm and the openclaw CLI, which is a privileged side effect inconsistent with a diagnostic/recommendation tool. Even with confirmation prompts, package installation changes the host environment and could be abused or surprise users when they expect only checks and advice.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The activation conditions are broad enough to match common setup, maintenance, update, and troubleshooting requests, which could cause the skill to be invoked in situations where users did not intend file-changing or networked actions. In a skill that includes auto-fix, setup, and update capabilities, over-broad triggering increases accidental execution risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill description does not clearly warn users that some commands may modify local files, generate configuration, refresh caches, or perform automated fixes. Missing disclosure is dangerous because users may treat the skill as informational diagnostics only and approve actions without understanding persistence or side effects.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The process-kill recipe uses forceful termination but does not warn about abrupt shutdown, unsaved work loss, or collateral impact to other services sharing the host. Lack of clear disclosure increases the chance a user will run a destructive command without understanding the consequences.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
`openclaw doctor --fix` is presented as validation, but the command itself performs modifications. This is dangerous because users may interpret it as read-only health checking and unintentionally allow configuration changes they did not review.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The force gateway restart recipe includes `pkill -9`/forced task termination without warning about service interruption, dropped requests, or possible corruption from abrupt shutdown. In an ops-oriented skill, missing warnings around forceful restart materially raises operational risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The sandbox reset recipe stops and removes a container without disclosing that container state, logs, or local modifications may be lost. Users may interpret reset as harmless recovery rather than destructive recreation.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The cleanup recipe deletes log files and prunes Docker resources without a clear irreversible-action warning. This can remove evidence, troubleshooting history, cached images, networks, and stopped containers that may be needed later.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The documentation tells users to display authentication-related values with commands like `openclaw config get ai.provider.apiKey` and `env | grep -i api_key` without warning that these may print live secrets to the terminal, logs, screen recordings, or shell history workflows. In a diagnostic skill focused on auth failures, this context makes the omission more dangerous because users are likely to run the commands during incident response and may share the output for troubleshooting.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The guide instructs users to set API keys directly via CLI and append them into `.env` without explaining that this stores credentials on disk and may also expose them through shell history. Although common in setup docs, the lack of handling guidance for sensitive tokens creates a real secret-management weakness.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The documentation includes `killall openclaw` as a fix step without warning that it will terminate all matching processes on the host, potentially causing service interruption or affecting other instances. In a troubleshooting document, users may execute commands quickly, so missing safety context raises the chance of accidental denial of service.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation instructs users to run `rm -rf .openclaw/whatsapp-session` to clear a session without warning that this irreversibly deletes local session state and may disconnect the integration until re-linking completes. In a troubleshooting skill, destructive commands are more likely to be copied verbatim, so lack of a caution increases the chance of accidental service disruption or data loss.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The instructions tell users to set Slack secrets and tokens directly on the command line, which can expose credentials through shell history, terminal logging, process inspection, or copied transcripts. Because this file is a troubleshooting reference, operators may use these commands during incidents when operational hygiene is weaker, increasing credential leakage risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal