Openclaw Mutual Repair

Security checks across malware telemetry and agentic risk

Overview

This skill has a legitimate monitoring purpose, but it exposes powerful remote repair controls without built-in authentication or confirmation.

Install only in a private, firewalled environment after the publisher removes and rotates the exposed token. Restrict port 9528 to trusted peer IPs, avoid untrusted configuration values, and treat remote restart as an administrator-only action until the skill adds authentication, request validation, audit logging, and an explicit approval or opt-in flow.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (9)

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: The skill exposes an HTTP /api/repair endpoint that accepts unauthenticated repair actions and can restart the local OpenClaw service via pm2 or systemctl. In context, this is far more dangerous than a mere description mismatch because any reachable peer or attacker on the network could trigger service disruption or operational changes without authorization.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The document contains what appears to be a live Claw CLI authentication token directly in the publishing command. Exposing credentials in distributable documentation can let anyone who reads the file authenticate as the publisher, publish or modify skills, and potentially access associated account resources.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The listed trigger keywords are broad, generic terms such as "内存", "健康", "check", and "repair" that can easily appear in ordinary user conversations. In an agent skill context, overly broad activation terms increase the chance of unintended invocation, causing the skill to run in contexts the user did not explicitly request and potentially exposing system-diagnostic or repair behavior unnecessarily.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The README markets continuous mutual monitoring and repair-oriented behavior as a core value, but it does not clearly state whether repairs are advisory or can change system state automatically. In an ops skill that runs continuously and interacts with another host, lack of explicit warnings and confirmation requirements can cause users to enable system-changing behavior without understanding the operational risk.

Missing User Warnings

High

Confidence: 97% confidence
Finding: This section explicitly says the skill may 'execute remote repair' but does not document authentication, authorization, approval flow, or limits on what remote actions can occur. In the context of a service exposing HTTP endpoints and managing PM2/systemd-related recovery, undocumented remote repair behavior materially increases the risk of unintended service restarts, configuration changes, or abuse if the feature is misused.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The documentation describes remote repair and notes optional SSH key setup, but it does not prominently and explicitly warn that the skill can remotely restart services on another machine. This can mislead operators into enabling cross-host control without fully understanding the operational and security consequences, increasing the chance of unsafe deployment or accidental disruption.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The trigger list contains broad, everyday terms such as "health", "status", "monitor", and their Chinese equivalents, which can cause the skill to activate in contexts unrelated to this high-privilege repair tool. Because the manifest also requests both exec and network permissions, unintended invocation is more dangerous than usual: a casual user utterance could activate a skill capable of command execution and remote communication.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The code transmits system health data and host metadata to a remote node over plain HTTP without encryption or clear user disclosure. This can expose internal host addresses, uptime, memory, CPU, and connection information to interception or unintended recipients, aiding reconnaissance and leaking operational details.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The repair endpoint executes sensitive actions based solely on a received POST body and returns success without any authentication, authorization, or confirmation step. An attacker who can reach the service can invoke restart or diagnostic actions remotely, causing denial of service and potentially exposing system state.

VirusTotal

56/56 vendors flagged this skill as clean.

View on VirusTotal