OpenClaw Guardian CN

Security checks across malware telemetry and agentic risk

Overview

This skill has a coherent OpenClaw monitoring purpose, but it can set up persistent watchdog tasks and elevated scheduled execution without clear opt-in controls.

Install only if you intentionally want a persistent OpenClaw watchdog. Before using it, review any cron or Windows Task Scheduler commands, avoid elevated Windows setup unless truly needed, verify the referenced scripts exist, and know how to remove the scheduled tasks and logs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (9)

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: This section instructs the skill to automatically install persistent OS-level watchdogs during a self-check, changing system state in a durable way that exceeds a normal diagnostic/recovery action. Silent persistence is dangerous because it survives the current session and can repeatedly execute commands without renewed user approval.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The one-click setup expands from service checking into copying files into user-controlled directories and creating recurring jobs, which is persistent modification of the host. Even if intended for maintenance, bundling these actions into a self-check skill makes the behavior more dangerous because users may not expect installation-like side effects.

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: Registering a Windows scheduled task with RunLevel Highest creates privileged persistence, which materially increases risk if the task command or referenced script is modified later. Elevated recurring execution is especially sensitive because it can become a privilege-escalation or persistence foothold on the host.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger phrases are broad enough that ordinary requests about system status or restarting Gateway may activate the skill unexpectedly. Because this skill can perform recovery actions and install persistence, accidental triggering raises the likelihood of unreviewed system changes.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The manual invocation examples are vague and conversational, which makes unintended activation more likely in normal troubleshooting dialogue. In the context of a skill capable of restarting services and configuring persistence, ambiguous invocation materially increases operational risk.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill describes automatically editing cron configuration without a clear, prominent warning that it is creating persistent scheduled execution. Persistence changes are security-sensitive because they survive the current interaction and may be hard for users to notice or remove later.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: This Linux setup block auto-adds cron jobs and background logging but does not clearly foreground that it is writing persistent tasks and log files to the system. Hidden or under-disclosed persistence is dangerous even for benign maintenance because it creates an enduring execution path.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The Windows setup registers scheduled tasks with elevated privileges but does not provide an explicit warning about both persistence and privilege consequences. Users may approve a 'guardian' feature without realizing they are authorizing privileged recurring code execution.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The script automatically attempts to start the OpenClaw gateway when it detects the process is not running, without explicit user confirmation at execution time. In a system-guardian/self-healing skill this behavior is intentional, but it still creates a security and operational risk because a scheduled or unexpected invocation can start network-facing services and change system state without the user's awareness.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal