Back to skill

Security audit

EasyClaw Config Migration

Security checks across malware telemetry and agentic risk

Overview

This is a local EasyClaw-to-OpenClaw configuration migration helper; its config-file access is expected, but users should treat the reports and backups as potentially sensitive.

Install only if you want an agent to inspect EasyClaw/OpenClaw config files and optionally update ~/.openclaw/openclaw.json. Run the dry-run/report first, review planned changes before --apply, avoid pasting raw report output publicly, and delete old backup files if they contain credentials you no longer need.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill clearly instructs the agent to read and modify user configuration files, but it declares no permissions or equivalent capability boundaries. This creates a transparency and authorization gap: an invoking system or user may not realize the skill can access and change files in the home directory, increasing the risk of unintended file access or modification.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script generates a local configuration report that includes broad sections of EasyClaw and OpenClaw settings and prints them directly to stdout. Although it attempts to redact values whose keys contain token/secret/key/password, this is heuristic and can miss sensitive fields under unexpected names, while still disclosing internal configuration details, endpoints, plugins, and auth modes without any confirmation or minimization.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.