openclaw-clawhome-cli

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward installer for connecting OpenClaw to Clawhome, with expected plugin installation, gateway restart, and channel-secret configuration.

Install only if you trust the npm package, the OpenClaw plugin it installs, and the Clawhome service. Treat the channel secret like a password, avoid pasting it in shared terminals or screenshots, and rotate it if exposed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill tells users to configure a channel secret directly but gives no warning about secret handling, storage, logging, or rotation. In an integration skill for an external chat platform, this increases the chance that operators expose credentials in shell history, screenshots, shared terminals, or improperly protected config files, which could allow unauthorized access to the channel.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal