ClawHub

Openclaw Whisperer

Security checks across malware telemetry and agentic risk

Overview

This looks like a real OpenClaw repair tool, but some “safe” fixes can install or update global software and it generates risky default configuration.

Install only if you want a repair/setup tool with real local authority. Use check-only and dry-run modes first, review any --auto-fix recipe before running it, avoid auto-fixing install/update errors unless you intend global npm changes, and inspect generated OpenClaw config before exposing the gateway or storing real API keys.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (82)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill declares no permissions while advertising behaviors that require shell execution, environment access, file reads/writes, and likely network access. This creates a transparency and consent gap: users and orchestrators cannot accurately assess what system capabilities the skill will use before invocation.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The declared purpose frames the skill as diagnostic and recommendation-oriented, but the documented behavior expands into setup, package installation, configuration generation, cache refresh, updating, and automated fix execution that can modify the host system. This mismatch increases the chance of users invoking the skill under a lower-risk mental model while it performs materially more powerful actions.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The document presents contradictory safety guarantees: it says auto-fix cannot modify .env secrets, yet earlier recipes describe reading API keys from .env, prompting for replacement credentials, and regenerating tokens. In a diagnostic/auto-fix skill, this inconsistency can cause unsafe automation around secrets handling and mislead users into trusting operations that touch credentials.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The guardrails claim system files cannot be edited, but the PATH_NOT_SET fix instructs appending to shell profile files such as ~/.bashrc and ~/.zshrc. This mismatch weakens trust in the stated safety model and could lead operators to approve broader filesystem modifications than intended.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The README documents capabilities that go beyond passive diagnostics and recommendations, including self-update, setup automation, component installation, and configuration generation. Broadening operational scope without clear justification or guardrails increases the chance that users will invoke privileged or system-altering behavior they did not expect from this skill.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
A self-updater that can execute updates introduces a supply-chain and self-modification risk, especially when the skill is described primarily as a diagnostic and recommendation tool. If update sources or downloaded content are compromised, users may be induced to run untrusted changes that alter the local installation.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Automatic component installation and configuration generation materially expand the skill from diagnostics into system provisioning and local state modification. In this context, that is dangerous because it can change dependencies, credentials, and runtime behavior in ways users may not anticipate from the stated purpose.

Context-Inappropriate Capability

Medium
Confidence
80% confidence
Finding
The file is presented as a documentation fetcher, but it also executes local CLI and npm commands for version auditing. In an agent-skill context, undeclared local command execution expands the trust boundary and can expose environment details or trigger unintended external interactions, especially when users do not expect this behavior.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The module and class documentation claim the component fetches documentation references, but the implementation also performs version auditing via local and npm subprocesses. This mismatch is dangerous because it obscures behavior from reviewers and users, making unexpected command execution and data disclosure easier to overlook in a privileged automation environment.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The executor performs parameter substitution and then invokes whatever command string is present in the step, with no allowlist, sandboxing, privilege restriction, or OpenClaw-specific scoping. In a skill that is framed as a diagnostic and error-fixing recommendation tool, this creates a direct arbitrary command-execution primitive if recipe steps or params are attacker-controlled or untrusted.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The file operation handler accepts a substituted path and can create, delete, or mkdir anywhere the process has access, without constraining operations to a workspace or application-owned directory. That allows destructive or persistence-related filesystem changes outside the intended OpenClaw context if steps or params are influenced by untrusted input.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The generated configuration exposes the gateway on 0.0.0.0 and enables a relaxed sandbox, creating a remotely reachable agent surface with reduced execution isolation. In the context of a setup helper for a diagnostic/recommendation tool, this meaningfully expands attack surface beyond the stated purpose, especially since the auth token is also predictably derived from the API key hash rather than being a strong random secret.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
This code can install global packages via npm, which modifies the host environment and executes package installation workflows with system-wide effect. For a diagnostic/setup helper this is a risky capability because it can change user systems, pull unpinned code from registries, and potentially require elevated privileges, even if the apparent intent is convenience rather than abuse.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The script goes beyond diagnostics and performs update actions that modify local state by fetching documentation updates and refreshing the skill cache. In a skill advertised as a diagnostic/error-fixing/recommendation tool, embedded updater behavior expands trust boundaries and can introduce supply-chain and unauthorized-change risk if upstream sources or the CLI are compromised.

Intent-Code Divergence

Medium
Confidence
82% confidence
Finding
The file is framed as a generic self-update tool rather than a narrowly scoped diagnostic helper, which conflicts with the declared purpose of the skill. This mismatch is dangerous because it can mislead users and reviewers about the skill's actual capabilities, reducing informed consent around state-changing operations.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The wizard goes beyond passive diagnostics by installing software, writing configuration, and invoking operational commands. In an agent-skill context, that expands the trust boundary and can cause unintended system changes or persistence, especially if users expect only analysis and recommendations from the stated skill description.

Context-Inappropriate Capability

Medium
Confidence
81% confidence
Finding
The script interactively collects an AI provider API key and incorporates it into generated configuration, which is more sensitive than ordinary diagnostic input. In a skill advertised primarily for diagnostics/error-fixing/recommendations, secret collection is a meaningful risk because it normalizes handing credentials to a tool without a clearly justified need or clear handling guarantees.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The activation guidance is broad enough that the skill may be invoked for many routine OpenClaw support scenarios, including first-time setup, updates, and fixes, without clear boundaries or risk qualifiers. Broad trigger conditions increase the likelihood of accidental execution of powerful features such as auto-fix, setup, or updater workflows.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The tool descriptions mention notification hooks, update checks, and complementary skill metadata refresh, but they do not clearly warn that these actions may contact external services or alter local state. Users may expose diagnostic data to Slack/Discord/GitHub or trigger state changes without understanding the privacy and integrity implications.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The recipe instructs users to place API keys in a .env file or export them in the shell without warning about exposure risks such as accidental source control commits, insecure file permissions, process-environment leakage, or shell history capture if adapted incorrectly. In a diagnostic/remediation skill, this is risky because users may follow the guidance verbatim and persist sensitive credentials unsafely.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The force-kill recipe terminates whatever process is using the specified port with kill -9/taskkill /F but does not warn that this is abrupt and may cause data loss, corruption, or termination of unrelated services if the wrong port is supplied. In a troubleshooting tool, users may run this under stress, making omission of a safety warning materially dangerous.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The sandbox reset recipe stops and removes the container without warning that local container state, uncommitted changes, or attached volumes may be lost depending on configuration. Because this is framed as a fix action, users may assume it is reversible when it is not.

Missing User Warnings

High
Confidence
96% confidence
Finding
The disk cleanup recipe permanently deletes old logs and runs docker system prune -f without warning that these actions are irreversible and may remove containers, networks, images, caches, and troubleshooting artifacts needed later. In an automated fix catalog, destructive cleanup commands are especially risky because they can affect more than OpenClaw state.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation instructs users to set secrets directly on the command line and append them to a plaintext .env file without warning that shell history, process listings, terminal scrollback, and local files may expose live credentials. In an authentication troubleshooting guide, this context makes the omission more dangerous because users are likely to run the commands exactly as written while handling real production keys.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guide recommends printing or grepping environment variables that may contain API keys, which can disclose secrets to the terminal, logs, screen recordings, shared shells, and support transcripts. Because this file is specifically for diagnosing auth issues, operators under pressure may expose valid credentials during troubleshooting.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal