Security audit

Openclaw Pqsafe

Security checks across malware telemetry and agentic risk

Overview

This payment skill is not clearly malicious, but it needs Review because its high-impact payment authority and private-key handling are inconsistently documented.

Install only after confirming which key model you intend to use. Treat create_envelope as permission to spend within its limits, avoid pasting production private keys into agent prompts or logs, start with PQSAFE_TEST_MODE, use small caps and short TTLs, and require human approval before create or revoke operations.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (4)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill declares access to environment variables and implicitly requires networked package/API use, but it does not declare explicit permissions for those capabilities. This weakens the trust boundary for users and host platforms because the skill can access a sensitive API key and perform remote payment-related actions without clear permission signaling, increasing the chance of unintended execution or under-informed consent.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: This skill performs payment-envelope creation, verification, revocation, and audit operations tied to real network-backed sandbox rails, but the description lacks a prominent user-facing warning about those effects. In a payment context, insufficient disclosure is dangerous because users or orchestrating agents may treat the skill as a harmless cryptographic utility when it can trigger external financial workflow actions and audit records.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The revoke path transmits the full signed envelope to a remote API, which may include issuer, agent, recipient constraints, amounts, validity windows, and public-key material. In an agent setting, sending full payment authorization artifacts off-box without explicit user-facing consent or minimization can leak sensitive transactional metadata and expand the trust boundary to the vendor service.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The manifest explicitly defines a `dsaSecretKey` input for `create_envelope`, meaning the skill interface asks callers to pass highly sensitive private key material into the tool. Even though the description says the key never leaves the caller's environment and signing is local, exposing secret-key entry in a payment skill materially increases the risk of accidental logging, prompt leakage, telemetry capture, insecure storage, or forwarding to remote components by the agent framework.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal