ClawHub

NxtSecure-openclaw

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real OpenClaw host hardening skill, but it can make persistent privileged system changes automatically and needs careful review before use.

Install only on the OpenClaw Linux host you intend to harden. Before enabling cron, review or pin the npm package, inspect the config file ownership and contents, disable auto-remediation for a first run if possible, verify SSH key access and recovery access, and treat Docker allowlists and disk cleanup settings as potentially service-impacting.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill explicitly instructs the agent to run shell commands such as global npm installation, privileged audit/remediation commands, SSH reconfiguration, and cron installation, yet no declared permissions are present. This creates a dangerous mismatch where a user or platform may not realize the skill is intended to execute high-impact host changes, increasing the risk of unauthorized command execution on the target system.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script defaults to AUTO_REMEDIATE=1 and performs system changes such as enabling services, editing SSH configuration, installing packages, and modifying firewall state, which goes beyond a passive audit. In a security-audit skill, silent remediation increases the chance of unintended operational disruption and expands the blast radius if the script is run with elevated privileges.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The script can stop any running Docker container not present in ALLOWED_DOCKER_CONTAINERS, which is a strong operational control rather than a simple audit. If the allowlist is missing, stale, or attacker-influenced, legitimate workloads can be disrupted, causing service outage or data loss in stateful containers.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
docker system prune -af is destructive and can remove images, stopped containers, networks, and build cache, affecting unrelated workloads on the host. Although gated by ALLOW_DOCKER_PRUNE, including this in an audit/remediation path for disk usage creates significant risk of accidental service impact and recovery overhead.

Missing User Warnings

High
Confidence
95% confidence
Finding
Automatic remediation is enabled by default and includes privileged, persistent, and potentially disruptive changes without any interactive confirmation or explicit disclosure at runtime. This is dangerous because operators may expect an audit but instead trigger service enables, SSH changes, firewall modifications, or package installation.

Missing User Warnings

High
Confidence
99% confidence
Finding
The script sources a configurable file directly with source, which executes arbitrary shell code in the script's process. Because the file can come from an environment variable or local reference path and the script may run with sudo/root behavior, a malicious or tampered config becomes a direct code-execution vector.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal