Security audit

Claude-Code引擎赋能OpenClaw

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly consistent with its stated goal, but it asks users to install persistent background jobs and broad command-running automation without enough safeguards or cleanup guidance.

Install only after reviewing the commands. Use a sandbox or non-root account, avoid enabling the cron jobs unless you intentionally want persistent automation, pin and review dependencies, and do not let the subagent executor run arbitrary commands against important files, accounts, or credentials.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (6)

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The skill instructs installation of a recurring cron job that persists beyond the current session and runs unattended. For an architecture-upgrade skill, this is a system-persistence capability that can keep executing code without fresh user approval, increasing risk if the script changes or is later repurposed.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The subagent executor accepts task-provided commands and runs them with shell=True, enabling arbitrary shell execution. In a concurrent agent framework this is especially dangerous because multiple untrusted or model-generated commands may run in parallel, amplifying damage and making review harder.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill directs creation of files under /root and installation of a cron job without prominent warning that it will make persistent system-level changes. Lack of disclosure increases the chance a user authorizes actions they do not understand, especially because the modifications affect privileged locations and continue running later.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The vector memory loader recursively reads memory markdown files and persists their contents into a vector database, but the skill does not clearly warn that bulk ingestion and long-term indexing will occur. This can expose sensitive notes, credentials, or proprietary content to broader retrieval and retention than the user expects.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The concurrency subsystem describes parallel execution of shell commands and external skill invocations without a strong warning about arbitrary command execution. In context, this is more dangerous because concurrency reduces human oversight and can rapidly compound destructive actions across the system.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The health-check setup installs another recurring cron job and can automatically trigger follow-on scripts affecting files and process state, but this persistence is not highlighted as a significant behavior change. Hidden automation of secondary actions increases the chance of unintended execution chains and surprises users after the initial run.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.