Opclawtm Skill

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its OpenClaw and Feishu team-management purpose, but it asks for broad workspace permissions and tells the agent to read local logs, so it needs review before installation.

Install only if you trust the opclawtm npm package and are comfortable granting a Feishu app broad access to workspace data. Use a test workspace first, reduce Feishu scopes where possible, do not let the agent read or print raw gateway logs, and revoke or rotate Feishu credentials after testing.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (12)

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The document instructs the agent to run a local shell command against ~/.openclaw/logs/gateway.log and extract Open IDs for the user. That exceeds passive guidance and gives the agent access to local logs that may contain additional sensitive data beyond the intended identifier, creating unnecessary data exposure and privilege expansion.

Intent-Code Divergence

Medium

Confidence: 89% confidence
Finding: The file states as a core principle that the agent must not perform Feishu configuration on the user's behalf, yet later tells it to execute commands and inspect local logs. This contradiction weakens safety boundaries and can cause an agent to take actions on the host system despite an apparent non-action policy.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The trigger section includes broad phrases such as '创建团队', '初始化', and '配置问题', which can match many ordinary support conversations and cause the skill to activate outside a clearly bounded opclawtm context. Because this skill instructs the agent on installation, activation, authorization binding, and workflow guidance, accidental invocation could steer unrelated user sessions or cause the agent to request or act on sensitive operational inputs unnecessarily.

Vague Triggers

Low

Confidence: 82% confidence
Finding: The skill defines trigger scenarios only as a loose keyword list and does not clearly restrict activation to conversations specifically about the opclawtm product, CLI, or OpenClaw platform. This increases the chance of unintentional routing to this skill, which may confuse users or expose them to irrelevant operational guidance, though the file itself does not contain direct code execution or credential exfiltration logic.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The guidance has the agent read gateway logs and directly display extracted Open IDs without warning that logs may contain sensitive metadata, tokens, message content, or identifiers for other users. Presenting values from raw logs to the user normalizes unsafe handling of potentially sensitive operational data.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The document explicitly instructs the agent to execute installation and activation commands as part of the workflow, but it does not require informed user consent or warn about system modification, package installation, or outbound network activity. In an agent setting, this can normalize autonomous command execution and lead to unintended changes on the host, especially because `npm install -g` and activation commands affect the system and contact external services.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The global install step uses `npm install -g opclawtm`, which modifies the user's environment, may require elevated privileges, and executes package install scripts, yet the skill provides no user-facing warning or confirmation gate. This is risky in an agent context because a user may not realize the command changes global system state and trusts the agent to act safely.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The activation flow instructs the agent to run `opclawtm trial-activate` and later disclose license details, but it does not warn that the command will contact external services or that licensing/device information may be transmitted or displayed. In a security-sensitive environment, silent activation and handling of license keys can expose metadata, trigger unwanted network access, or leak sensitive entitlement information.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The trigger conditions are overly broad and include common phrases like '我想要...' and '我需要一个...', which can match ordinary conversation rather than an intentional request to invoke this Skill. In this context, that can cause unintended activation during user chats, leading to accidental task creation, workflow routing, or disclosure of internal agent/process behavior when the user did not explicitly request this private-skill flow.

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The document mentions team deletion and reassures the user that it 'will not affect previously created content,' but it does not clearly describe the scope of data removed, whether recovery is possible, or require a confirmation step. In a workflow-management skill, vague or overly reassuring deletion guidance can cause users to irreversibly remove agents or team configuration they expected to keep.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The guide explicitly instructs the agent to read a local log file, grep for identifiers beginning with `ou_`, and directly reveal the discovered user ID to the user. This creates a privacy and data-handling risk because local logs may contain personal or tenant-specific identifiers, and the procedure lacks any verification, minimization, masking, or user-consent safeguards before disclosure.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The instruction explicitly tells the agent to inspect a local log file, extract Open IDs, and return them in plain text. This is dangerous because logs are a broad and often sensitive data source, and the agent may reveal more information than necessary or process identifiers belonging to unintended users.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal