ClawHub

Openclaw Plugin Upgrade

Security checks across malware telemetry and agentic risk

Overview

This is a real OpenClaw plugin upgrade helper, but it grants broad install, cleanup, code-execution, and restart authority without strong pre-run scoping or confirmation.

Review before installing. Use only with trusted OpenClaw plugins, confirm the exact npm package name, plugin ID, target version, legacy cleanup directories, and whether a gateway restart is acceptable before running it. Avoid untrusted or typo-prone package names, and do not pass custom legacy directory values unless you have verified they are simple plugin directory names.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script explicitly executes a JavaScript file from the newly installed plugin directory (`scripts/postinstall-link-sdk.js`). Because plugin contents come from an npm package and may be attacker-controlled or compromised, this turns a nominal 'upgrade helper' into a code-execution path with the privileges of the user running the upgrade. In this skill context, that is especially dangerous because the helper is designed to fetch and install arbitrary plugins, so executing plugin-provided code materially expands the trust boundary.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The activation phrases are overly broad, including generic requests like '帮我升级插件' and '升级 openclaw 插件', which can cause the skill to trigger in situations where the user did not intend this specific upgrade workflow. Because this skill performs package installation, cleanup, verification bypass handling, and possible service restart, accidental activation could lead to unintended system changes and downtime.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill description and workflow omit a clear user-facing warning that the process may delete legacy directories, perform rollback operations, bypass configuration validation logic for compatibility, and restart the gateway. In an agent context, failing to disclose these destructive or state-changing actions increases the risk of users authorizing an operation without understanding service impact or filesystem modifications.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal