Back to skill

Security audit

Cost Optimizer

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent cost-optimization toolkit, but several helper scripts unsafely execute local configuration files as code and some reporting features under-disclose sensitive data flows.

Review before installing. Run these scripts only against configuration files you trust, avoid plaintext HTTP provider or instance URLs, treat instances.json and OpenRouter/API keys as secrets, and do not enable webhooks or cron templates until you understand exactly what data will be read or sent. The main issue to fix is replacing new Function config parsing with safe JSON/JSON5 parsing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (20)

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script reads the config file and evaluates it with `new Function('return (' + raw + ')')()`, which executes the file as JavaScript rather than parsing it as data. If an attacker can modify the config file or convince a user to run the script on a crafted path, arbitrary code can run with the user's privileges. In a cost-optimization skill that encourages auditing and setup scripts, users are more likely to run this helper routinely, which increases exposure.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script reads the user-supplied OpenClaw config and evaluates it with `new Function('return ('+raw+')')()`, which executes the file as JavaScript instead of parsing it as data. If an attacker can modify the config file or trick a user into auditing a crafted file, arbitrary code will run in the context of the user executing the audit script, making this a code-execution issue rather than a passive audit.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script parses the config by passing its contents into `new Function(...)`, which executes the file as JavaScript rather than treating it as data. If an attacker can modify the config file or influence the path argument, they can achieve arbitrary code execution under the privileges of the user running the dashboard generator.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The script reads the config file as text and evaluates it with `new Function('return (' + raw + ')')()`, which executes arbitrary JavaScript contained in the supplied config path. Because the config path is user-controllable via the first argument, an attacker who can place or influence that file can achieve code execution in the context of the user running the script. In a skill that includes many executable maintenance scripts and is likely to be run locally with access to secrets and user files, this is more dangerous than a simple parsing bug.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The script reads a local configuration file and evaluates it with `new Function('return (' + raw + ')')()`, which executes arbitrary JavaScript from that file instead of parsing structured data safely. If an attacker can modify the referenced config path or trick a user into pointing at a malicious file, running this cost-audit script can execute code with the user's privileges. In this skill context, the danger is increased because the tool is explicitly designed to inspect multiple local and remote OpenClaw instances, so operators may run it against privileged paths or configs they trust implicitly.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
This is a true vulnerability. The script reads the config file as text and parses it with `new Function('return (' + raw + ')')()`, which executes arbitrary JavaScript embedded in the configuration rather than safely deserializing JSON. Because this is an audit/comparison script that users may run on local workstation configs, a malicious or tampered config can trigger arbitrary code execution with the user's privileges during what appears to be a harmless cost-reporting operation.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script parses the user-supplied config by embedding its raw contents into `new Function('return (' + raw + ')')()`, which executes the file as JavaScript rather than safely deserializing data. If an attacker can modify `~/.openclaw/openclaw.json` or convince a user to point the script at a crafted config path, they can achieve arbitrary code execution in the context of the user running the health check. The skill context increases risk because this is an operational utility likely to be run locally with access to API keys and other sensitive OpenClaw configuration.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The script reads local configuration and usage-derived metadata, packages it into JSON, and posts it to any user-supplied webhook URL. Although this appears intended for reporting rather than covert exfiltration, it still transmits internal operational details to arbitrary external endpoints and expands the skill from local cost analysis into network data disclosure.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The guide encourages sending daily cost summaries to third-party webhooks but provides no warning that usage metadata, model names, instance identifiers, or other operational details may leave the local environment. While this is not inherently malicious, omitting disclosure and data-minimization guidance can cause unintended leakage of sensitive operational information.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The multi-instance example shows remote URLs and bearer-like tokens in a configuration file without any warning about credential sensitivity, file permissions, or secret storage. This can normalize unsafe handling of instance access tokens and increase the chance that users store powerful credentials in plaintext or commit them to shared locations.

Vague Triggers

Medium
Confidence
73% confidence
Finding
The activation language is broad enough that the skill may engage whenever it is merely active, rather than only on explicit cost-management requests. In context, that can lead to unsolicited routing suggestions, configuration-change prompts, or operational guidance being injected into unrelated conversations, increasing the chance of accidental system changes or confusing users into approving them.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script embeds the user-influenced $CONFIG path directly into a Node.js -e string and then parses the file with new Function('return ('+raw+')')(), which evaluates file contents as code rather than as JSON. If an attacker can control the config file contents or inject quotes into the path, this can lead to arbitrary JavaScript execution in the context of the local user running the script. In a setup/automation skill that processes local OpenClaw state, that makes the issue more dangerous because users are likely to run it against real local files with trust assumptions.

Missing User Warnings

High
Confidence
98% confidence
Finding
The shell script invokes embedded Node.js that evaluates a user-supplied configuration file without warning or sandboxing, turning a comparison utility into a code-execution primitive. Because the config path is accepted as an argument and defaults to a user-writable home-directory file, a malicious local modification or social-engineering attack could trigger arbitrary JavaScript execution when the user runs a seemingly harmless diff command.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script silently evaluates the config while presenting itself as a cost-reporting utility, so users are not clearly warned that inspecting a config may execute embedded code. In this skill context, that is more dangerous because an auditing script is expected to be read-only and may be run on existing local configs or externally provided config files with elevated trust.

Missing User Warnings

High
Confidence
98% confidence
Finding
Because the script silently executes the config during parsing, users may reasonably believe they are loading a passive configuration file when they are actually running code. That lack of disclosure increases the chance of unsafe use and makes the code-execution behavior more dangerous in the context of an automation/helper skill.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script accepts provider base URLs from configuration and uses either the HTTP or HTTPS module based solely on the URL scheme, so if a provider is configured with http:// it will send the API key and request body in cleartext. That exposes credentials and model/request metadata to interception or modification by anyone on the network path. In this skill context, the script is specifically intended to validate live provider endpoints using real API keys, which makes insecure transport more dangerous rather than theoretical.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The script accesses local config files and sends bearer tokens to remote instances via HTTP(S) requests, but it provides no clear warning that sensitive local paths and credentials will be used. This can lead users to run it without understanding that tokens are transmitted to configured endpoints and that local instance configs are being inspected, increasing the risk of accidental credential disclosure or interaction with unsafe/non-TLS endpoints. In a multi-instance cost optimizer, this context makes the issue more relevant because aggregating across many instances naturally centralizes secrets and broadens the trust boundary.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script automatically reads OpenClaw session logs from several common locations and parses them without any explicit warning, consent prompt, or minimization of displayed content. Session logs can contain prompts, tool invocations, identifiers, and other sensitive operational data, so running this utility may expose private information to whoever executes it or views its output.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script performs an outbound POST to the provided webhook without an explicit runtime warning that local usage and configuration-derived data will leave the system. In an agent skill context, especially with automation via cron, that lack of strong disclosure increases the risk of users unknowingly sending internal metadata to third-party services.

Ssd 3

Medium
Confidence
89% confidence
Finding
The guide describes workflows that may aggregate local config/log data and transmit summaries to external webhook endpoints across multiple instances, yet it does so in plain operational language without privacy/security guardrails. In context, these scripts likely access sensitive tokens, URLs, usage history, and local paths, so the lack of warnings and handling guidance materially increases data exposure risk.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.destructive_delete_command, suspicious.dynamic_code_execution

Documentation contains a destructive delete command without an explicit confirmation gate.

Warn
Code
suspicious.destructive_delete_command
Location
GUIDE.md:672

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
scripts/compaction-log.sh:34

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
scripts/config-diff.sh:29

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
scripts/cost-audit.sh:42

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
scripts/cost-dashboard.js:14

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
scripts/fallback-validator.sh:32

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
scripts/idle-sleep.sh:81

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
scripts/model-switcher.sh:30

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
scripts/multi-instance.sh:95

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
scripts/parse-config.js:23

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
scripts/preset-manager.sh:35

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
scripts/provider-compare.sh:29

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
scripts/provider-health.sh:35

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
scripts/token-enforcer.sh:63

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
scripts/webhook-report.sh:41