OpenClaw Consensus

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed multi-model deliberation tool that sends a user-provided brief to selected OpenClaw models and saves local run artifacts.

Use this only for briefs you are comfortable sending to the explicitly selected API-backed model providers. Avoid secrets, regulated data, or proprietary material unless your provider agreements allow it, and remember that local run artifacts remain on disk until you remove them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (3)

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The run record shows the consensus workflow did not preserve the explicitly requested two-model deliberation and instead allowed substitution to a different model after a billing-related failure. In a skill whose security-sensitive promise is a fixed 2-round cross-model process, this undermines integrity, reproducibility, and policy assumptions because a single provider or model can silently replace the intended independent reviewer.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The `run` command transmits the user-supplied brief verbatim to `openclaw infer model run --gateway`, which in this skill means sending repository/local user content to external API-backed models. While this appears intentional for the feature, the CLI does not present a clear runtime consent/privacy warning at the point of execution, so users may unknowingly exfiltrate sensitive prompts, secrets, or proprietary data to third-party providers.

Vague Triggers

Low

Confidence: 85% confidence
Finding: The error text documents fallback behavior in broad terms but does not define strict constraints, scope, or authorization rules for when switching models is allowed. That ambiguity is dangerous because operators and downstream tooling may assume stronger guarantees than the runtime actually provides, creating room for policy bypass, unexpected trust-boundary changes, and weak auditability.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal