Back to skill

Security audit

Skill

Security checks across malware telemetry and agentic risk

Overview

This cost-saving skill appears purpose-aligned, but it needs Review because it persistently changes OpenClaw behavior, installs global command-rewriting hooks, and can transmit local spend/license data.

Install only if you are comfortable with ClawTK changing your OpenClaw config, logging tool-call metadata locally, changing some model routing to Gemini, installing a global command-output compression hook for Pro features, and optionally sending spend data plus a license key to ClawTK’s cloud. Before using Pro/Cloud sync, inspect the spend log contents and confirm how to remove or disable the rtk global hook if you uninstall.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (16)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill declares no permissions while explicitly instructing the agent to execute multiple shell commands such as setup, restore, sync, activation, and uninstall scripts from the local filesystem. This creates a transparency and trust problem: users and policy systems may not realize the skill can run privileged local actions, including configuration changes and network-triggering scripts, before consenting appropriately.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The public description frames the skill as a local cost-optimization helper, but the documented behavior also includes license validation, cloud sync, local persistence of spend telemetry, and Pro-tier activation. That mismatch is security-relevant because users may authorize installation expecting only local config tuning, while the skill can collect, store, and transmit usage metadata to a remote service.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The hook caches `bash` results based on a permissive allowlist that includes commands like `git status`, `du`, `df`, and similar environment-dependent commands, even though the comment claims only deterministic read-only commands are cached. In an agent context, reusing stale results can mislead later decisions about repository state, filesystem state, or environment state, causing incorrect actions, bypassing fresh checks, or masking changes made by other tools or users.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The installer does more than install a compression tool: it globally enables `rtk init -g --auto-patch`, which adds command-rewriting hooks affecting future shell behavior. That expands the trust boundary from a single binary install to persistent interception/modification of commands, creating a meaningful supply-chain and integrity risk if the tool is buggy, compromised, or behaves unexpectedly.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The script downloads a shell script from GitHub and immediately executes it with `sh` without any authenticity or integrity verification such as a pinned checksum or signature. This is a classic remote code execution pattern: if the upstream repo, tag resolution, network path, or fetched content is compromised, arbitrary code will run on the user's machine during installation.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script performs cloud synchronization of local spend data to a remote API, which exceeds the skill's stated local cost-optimization scope and creates an undisclosed data egress path. In a security-sensitive agent environment, silent or under-disclosed outbound transfer of user activity metadata is dangerous because the synced JSONL may contain more sensitive fields than users expect.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The script claims that only limited metadata is sent, but it uploads each JSONL record wholesale via jq -s '.' and posts it as entries without any field allowlist or redaction. If the spend log contains prompts, filenames, conversation fragments, API payloads, or other sensitive metadata, the script will exfiltrate all of it to the remote service contrary to the stated assurance.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The handler persistently logs every tool call to a JSONL file in the user's home directory, including tool names, timestamps, and a deterministic hash of the full parameter set. Even though raw parameters are not written directly, this still creates undisclosed behavioral telemetry and the hash can enable correlation of repeated sensitive actions; if the directory is readable by other local users, backups, or support tooling, it exposes usage history without explicit consent or retention controls. In a cost-control hook, this is not required to be indefinitely persistent in its current form, which makes the privacy risk more serious in context.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The document explicitly recommends sending heartbeat traffic, context compaction data, and images to third-party model providers, including switching some operations to Google's Gemini, but it does not warn users that potentially sensitive session context or images may leave their current provider boundary. In a cost-optimization skill, this omission is materially risky because users may enable the patches assuming only pricing changes, not a change in data exposure or provider handling.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The file states that ClawTK makes config changes and emphasizes reversibility, but it does not clearly foreground that local OpenClaw configuration will be modified when the skill is used. This can lead to users applying persistent behavioral and routing changes without fully understanding that their local settings, model selection, spend caps, or data-handling behavior have been altered.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The guide explicitly tells users to edit an internal state file to raise `spendCaps.daily`, which bypasses a cost-control safety feature. Even if intended as troubleshooting, documenting manual tampering with guardrail state normalizes disabling protections and can lead to unexpected spend, broken state, or unsupported configurations.

Missing User Warnings

High
Confidence
98% confidence
Finding
Piping a remotely fetched script directly into `sh` executes unreviewed code from the network with no integrity verification, pinning, or safety warning. If the upstream repository, branch, transport, or account is compromised, users could run arbitrary attacker-controlled code on their systems.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The installer silently applies a global auto-patch configuration with no explicit confirmation, despite the comments stating it installs a `PreToolUse` hook that transparently rewrites bash commands. Modifying command execution semantics without a prompt undermines user consent and can lead to unexpected command changes, data exposure, or difficult-to-diagnose behavior across future sessions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script persistently overwrites the user's OpenClaw configuration without any confirmation, dry-run, or interactive consent step. Although it creates a backup, the change is still immediately applied and may alter model selection, context limits, and heartbeat behavior in ways the user did not explicitly approve, which is risky for a one-command setup tool that modifies personal agent settings.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The setup persists a licenseKey field in a state file under the user's home directory without any visible warning, consent flow, or file-permission hardening. Even though the key is not transmitted in this snippet, storing credential-like material in plaintext can expose it to other local users, backups, logs, or malware, especially because this is a shell script writing directly to a predictable path.

External Transmission

Medium
Category
Data Exfiltration
Content
fi

    # POST to API
    response=$(curl -sS --max-time 30 \
        -H "Content-Type: application/json" \
        -H "X-License-Key: $license_key" \
        -d "{\"entries\": $batch}" \
Confidence
92% confidence
Finding
curl -sS --max-time 30 \ -H "Content-Type: application/json" \ -H "X-License-Key: $license_key" \ -d

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
hooks/clawtk-cache/handler.ts:114