ClawHub

OpenClaw Security Audit

Security checks across malware telemetry and agentic risk

Overview

This prompt-only skill audits and optionally hardens an OpenClaw setup, with sensitive actions disclosed and gated by user plan selection.

Install only if you want an agent to inspect your local OpenClaw configuration and possibly apply hardening changes. Treat reports as sensitive, choose report-only if unsure, review planned edits before accepting, and expect a gateway restart to briefly disrupt service.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The manifest promises scanning and guided fixes, but the body instructs the agent to edit configuration files, change permissions, create backups, and restart services. This expands the skill from advisory analysis into system modification without that higher-risk behavior being clearly disclosed in metadata, increasing the chance of surprising or unsafe side effects.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Restarting the OpenClaw gateway is a service-management action that can interrupt availability, apply unintended configuration changes immediately, and affect other users or sessions. Because the manifest frames the skill narrowly as scanning and guided hardening, including a restart step creates hidden operational impact beyond what a user may reasonably expect.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The README advertises broad natural-language trigger phrases such as "security check" and "安全检查", which can plausibly appear in normal conversation and cause the skill to activate unintentionally. Because this skill is described as using read/exec/edit capabilities and can proceed to configuration changes and service restarts, accidental invocation increases the chance of unintended security scans or subsequent destructive changes.

Missing User Warnings

High
Confidence
97% confidence
Finding
The README states that the agent will automatically read configs, execute commands, edit configuration items, and restart the gateway, but it does not present a clear upfront warning about these side effects or their operational risk. In a prompt-only skill that can drive privileged built-in tools, insufficient disclosure can mislead users into invoking a workflow that modifies security-sensitive files or disrupts service availability without informed consent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README states that the agent will use exec/edit to back up configuration, restart the gateway, and automatically modify settings after a plan is selected, but it does not clearly warn users about service interruption, configuration drift, rollback expectations, or the scope of file/system changes. In a prompt-only skill, these behavioral claims directly shape agent actions, so underspecified system-impacting operations can lead to unsafe modifications or unexpected restarts on real systems.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The skill advertises broad trigger phrases such as "security check" and "harden my setup," which are generic enough to cause accidental invocation in ordinary conversation. Because this skill reads sensitive configuration files and later proposes executing commands and editing config, unintended activation expands exposure to privileged operations.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill description says it will scan and harden configuration, but the body later instructs the agent to back up files, edit JSON, change permissions, restart services, and run verification commands. Incomplete upfront disclosure is risky because users may invoke the skill expecting a read-only audit while it is designed to perform state-changing operations after a prompt sequence.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal