Back to skill

Security audit

Init Hooks

Security checks across malware telemetry and agentic risk

Overview

The skill does what it claims, but it creates persistent startup code execution with remote download support and limited safety controls, so users should review it carefully before installing.

Install only if you intentionally want persistent startup hooks that can run arbitrary code on every OpenClaw boot. Avoid remote URL hooks unless you fully trust and pin the source, review every hook before enabling it, be careful with credential-restoration scripts, and check post-init.sh/start.sh plus workspace/.init-hooks when auditing or removing the skill.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
Findings (13)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if args.run_inline:
        print(f"[sync] 执行 inline: {args.run_inline}")
        try:
            result = subprocess.run(["bash", "-c", args.run_inline])
            if result.returncode != 0:
                print(f"[sync] ⚠️  inline 执行失败(exit {result.returncode}),仍尝试同步...", file=sys.stderr)
        except FileNotFoundError as e:
Confidence
98% confidence
Finding
result = subprocess.run(["bash", "-c", args.run_inline])

Tainted flow: 'START_SH' from os.environ.get (line 41, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
f'unset _IH_DISPATCHER\n'
    )
    try:
        with open(START_SH, "a") as f:
            f.write(inject)
        print("[init-hooks] ✅ start.sh 已注入 dispatcher 调用")
    except PermissionError:
Confidence
88% confidence
Finding
with open(START_SH, "a") as f:

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill clearly instructs use of shell execution, file reads/writes, environment variables, and network downloads, yet no explicit permissions are declared. That mismatch weakens review and consent controls, making it easier for a user or downstream agent to invoke powerful operations without clear visibility into the risk surface.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
This file is presented as a configuration synchronization tool, but it also implements arbitrary script execution and inline shell execution. That scope expansion turns a simple sync utility into a general command runner, increasing attack surface and making misuse more likely, especially in a skill designed to manage startup hooks that survive restarts and can affect persistent container state.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README explicitly promotes automatic execution of startup hooks and supports fetching hook payloads from remote CDN URLs, but it does not prominently warn users that these hooks are arbitrary code execution mechanisms with persistence across restarts and rebuilds. In this skill context, that omission is materially risky because users may install or add hooks without appreciating that a remote archive or inline command will execute automatically on every boot and can modify the container, workspace, or mirrored configuration.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger phrase for configuration changes is broad enough that ordinary requests like 'modify config' or 'change gateway settings' could auto-activate this skill. Because the skill can alter startup behavior and persist hooks, accidental invocation could lead to unintended system changes that survive restarts.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The user-intent mapping treats generic requests like 'add a startup hook' or 'add boot execution' as sufficient to invoke persistence-related functionality. Since startup hooks execute automatically on future boots, this broad matching increases the chance of unintentional persistence being created from ambiguous requests.

Vague Triggers

Low
Confidence
80% confidence
Finding
Trigger examples like 'test it' or 'run once' are generic and can overlap with normal conversation. In this skill, such ambiguity is risky because 'run' may execute all enabled hooks, including shell commands or downloaded code.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill supports downloading remote archives from a URL, auto-extracting them, and executing an inferred or specified entrypoint, but the documentation lacks a strong warning or trust-validation requirements. This creates a direct remote code execution and persistence path: malicious or compromised URLs can install code that runs immediately and again on future restarts.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill centers on automatic execution of inline shell commands and local scripts at startup, but it does not prominently warn that these commands will run automatically and persist across restarts. In context, this is especially dangerous because startup execution can hide harmful actions, repeatedly reapply changes, or re-establish persistence after recovery efforts.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The example instructs users to append to ~/.bashrc persistently at startup, which changes future shell behavior beyond the hook itself. In a startup-hook skill, this is security-relevant because profile modification can silently persist environment manipulation and may surprise users if not clearly disclosed and scoped.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The documentation recommends restoring credentials/accounts at startup without guidance on secure storage, least privilege, or secret handling. In this skill's persistence-focused context, automating credential restoration increases the risk of insecure secret exposure, accidental logging, or broad unauthorized access if the script or storage is compromised.

Missing User Warnings

High
Confidence
97% confidence
Finding
The guide endorses downloading and executing code from a CDN at startup, including archives with auto-selected entry points, without integrity verification or trust constraints. In a persistent startup-hook system, this becomes especially dangerous because remote code execution can recur on restarts and can modify configuration, credentials, or the runtime environment.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.