ClawHub
Back to skill

Security audit

Claw Sos

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real OpenClaw emergency recovery tool, but it needs Review because its automatic repair and install paths can make privileged, system-wide changes without enough confirmation.

Install only on OpenClaw hosts you administer. Prefer the bundled script or a pinned, reviewed release over `curl | bash`; avoid unattended `sos auto` unless you accept service restarts, process kills, DNS changes, cleanup actions, and real Telegram API calls using the configured bot token.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill clearly instructs the agent/user to execute shell commands locally and over SSH, including installation to privileged paths and recovery actions, but it declares no permissions. This mismatch can bypass governance expectations and cause the skill to be invoked without the explicit shell/remote-execution safeguards that such powerful operations require.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Autofix unconditionally rewrites /etc/resolv.conf with hardcoded public resolvers, making a host-wide network configuration change that exceeds routine application recovery. This can break managed DNS setups, violate enterprise policy, disrupt split-horizon/internal name resolution, and alter connectivity for unrelated services on the machine.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The trigger text includes broad operational phrases like "sos," "recovery," "bot is down," and "not responding," which can match routine troubleshooting conversations and cause unintended activation of a highly privileged recovery skill. Because this skill performs shell and remote recovery actions, accidental invocation materially increases the chance of disruptive or destructive commands being suggested or run in the wrong context.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The installer downloads a remote script and writes it into a system binary path, potentially using sudo, without an explicit confirmation step or strong warning that a privileged executable is being installed. In this skill context, the danger is higher because it is an emergency-recovery tool that users may run quickly under pressure, increasing the chance they approve privileged changes without scrutiny.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script performs a destructive system configuration change at runtime without a just-in-time warning or confirmation from the operator. In an emergency recovery context, users may invoke autofix expecting service-local remediation, not host-wide DNS rewrites, increasing the chance of accidental damage.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The Telegram test sends bot-authenticated requests and may auto-discover a chat ID from recent updates, but it does not provide a clear privacy or data-transmission warning before contacting Telegram. In practice this can expose operational metadata and trigger a real outbound message without the operator fully understanding what data is being transmitted.

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
# Allow custom install dir
INSTALL_DIR="${INSTALL_DIR:-/usr/local/bin}"
mkdir -p "$INSTALL_DIR" 2>/dev/null || $SUDO mkdir -p "$INSTALL_DIR"

# Detect OS
OS="$(uname -s)"
Confidence
82% confidence
Finding
SUDO

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
# Download
echo -ne "  Downloading sos.sh... "
if command -v curl &>/dev/null; then
  $SUDO curl -fsSL "$RAW_URL" -o "${INSTALL_DIR}/${SCRIPT_NAME}"
elif command -v wget &>/dev/null; then
  $SUDO wget -qO "${INSTALL_DIR}/${SCRIPT_NAME}" "$RAW_URL"
else
Confidence
97% confidence
Finding
SUDO

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
if command -v curl &>/dev/null; then
  $SUDO curl -fsSL "$RAW_URL" -o "${INSTALL_DIR}/${SCRIPT_NAME}"
elif command -v wget &>/dev/null; then
  $SUDO wget -qO "${INSTALL_DIR}/${SCRIPT_NAME}" "$RAW_URL"
else
  echo -e "${RED}Error: curl or wget required${NC}"
  exit 1
Confidence
97% confidence
Finding
SUDO

External Script Fetching

Low
Category
Supply Chain
Content
Alternative — install from GitHub:
```bash
curl -fsSL https://raw.githubusercontent.com/clawsos/claw-sos/main/install.sh | bash
```

## Usage
Confidence
96% confidence
Finding
curl -fsSL https://raw.githubusercontent.com/clawsos/claw-sos/main/install.sh | bash

External Script Fetching

Low
Category
Supply Chain
Content
# ═══════════════════════════════════════════════════════════════
# Claw-SOS Installer
# ═══════════════════════════════════════════════════════════════
# Usage: curl -fsSL https://raw.githubusercontent.com/clawsos/claw-sos/main/install.sh | bash
# Or:    wget -qO- https://raw.githubusercontent.com/clawsos/claw-sos/main/install.sh | bash

set -euo pipefail
Confidence
99% confidence
Finding
curl -fsSL https://raw.githubusercontent.com/clawsos/claw-sos/main/install.sh | bash

External Script Fetching

Low
Category
Supply Chain
Content
# Claw-SOS Installer
# ═══════════════════════════════════════════════════════════════
# Usage: curl -fsSL https://raw.githubusercontent.com/clawsos/claw-sos/main/install.sh | bash
# Or:    wget -qO- https://raw.githubusercontent.com/clawsos/claw-sos/main/install.sh | bash

set -euo pipefail
Confidence
99% confidence
Finding
wget -qO- https://raw.githubusercontent.com/clawsos/claw-sos/main/install.sh | bash

Chaining Abuse

High
Category
Tool Misuse
Content
Alternative — install from GitHub:
```bash
curl -fsSL https://raw.githubusercontent.com/clawsos/claw-sos/main/install.sh | bash
```

## Usage
Confidence
98% confidence
Finding
| bash

Chaining Abuse

High
Category
Tool Misuse
Content
# ═══════════════════════════════════════════════════════════════
# Claw-SOS Installer
# ═══════════════════════════════════════════════════════════════
# Usage: curl -fsSL https://raw.githubusercontent.com/clawsos/claw-sos/main/install.sh | bash
# Or:    wget -qO- https://raw.githubusercontent.com/clawsos/claw-sos/main/install.sh | bash

set -euo pipefail
Confidence
99% confidence
Finding
| bash

Chaining Abuse

High
Category
Tool Misuse
Content
# Claw-SOS Installer
# ═══════════════════════════════════════════════════════════════
# Usage: curl -fsSL https://raw.githubusercontent.com/clawsos/claw-sos/main/install.sh | bash
# Or:    wget -qO- https://raw.githubusercontent.com/clawsos/claw-sos/main/install.sh | bash

set -euo pipefail
Confidence
99% confidence
Finding
| bash

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.