Back to skill

Security audit

Sentinel- OpenClaw Runtime Security

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed security-monitoring skill, but it combines persistent monitoring, local wallet custody, auto-approved payments, and remote archive handling in ways users should review before installing.

Install only if you are comfortable with a local security binary that reads OpenClaw skill files, monitors processes/network activity in daemon mode, stores wallet keys under ~/.sentinel, and may auto-sign small USDC payments. Prefer --offline for local-only scans, set the wallet spend limit to 0 before funding it, and avoid remote ClawHub checks until archive extraction and payment recipient validation are tightened.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The build documentation reveals functionality that exceeds the manifest's stated five runtime defenses, specifically external VirusTotal lookups and broader networked behavior. This is dangerous because users and reviewers may make trust decisions based on the manifest description while the binary performs additional outbound actions and data handling not clearly disclosed.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The documentation describes persistent wallet creation, keystore storage, and encrypted mnemonic handling that are not transparently reflected in the manifest description. In a security-monitoring skill, undeclared credential-like material and a cryptocurrency wallet materially increase risk because they expand the attack surface, create valuable local secrets to target, and may enable financial actions users did not expect.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The code exposes active behaviors beyond the advertised runtime defenses by implementing quarantine and external reporting capabilities. This is dangerous because users and calling agents may grant trust based on the manifest description, while the skill can move installed content or transmit metadata off-host, creating an integrity and privacy gap.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The audit path performs remote ClawHub fetches and VirusTotal lookups that are not clearly reflected in the skill description. Hidden network behavior during a security audit is risky because it can leak queried skill identifiers, hashes, or metadata and breaks the expectation that scanning is local unless clearly disclosed.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The function downloads a remote archive and invokes an external `unzip` binary to extract it. This broadens the attack surface significantly: malicious archives can exploit unsafe extraction behavior such as path traversal or symlink abuse, and reliance on an external binary introduces environment-dependent execution risk in a security-sensitive workflow.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
This file implements wallet generation, recovery, mnemonic export, keystore handling, and signed payment execution, which materially exceed a stated runtime-defense/monitoring purpose. In a security skill, adding fund custody and payment-signing capabilities increases attack surface and creates a high-risk path for credential theft, unauthorized spending, or abuse under the guise of protection features.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code can decrypt and print the full 12-word recovery phrase and can reconstruct the signing wallet from that phrase. Exposing seed phrases in cleartext is extremely dangerous because any local compromise, shoulder-surfing, terminal logging, or malicious wrapper can permanently transfer control of the user's funds.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger guidance is broad enough to match ordinary user phrases like 'audit', 'protect my agent', or 'my agent is acting weird', which can cause the skill to activate in contexts where the user did not clearly request it. For a skill with shell access, scanning capability, wallet functions, and potential network activity, over-triggering materially increases unintended execution risk.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The workflow examples use generic prompts like 'scan my skills', 'audit', and 'check for threats' without clearly defining limits on what directories, artifacts, or actions are in scope. In a security-oriented skill that can inspect local files and potentially interact with network/payment features, ambiguous activation language can lead to over-collection, unintended scans, or escalation into premium/networked actions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Reporting a skill name to ClawHub without clear user-facing disclosure is a privacy and transparency issue. Even limited metadata can reveal what tools a user has installed or is investigating, which is especially sensitive for a security-audit skill where users may expect minimal data sharing.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code downloads and writes remote archives during analysis without a clear user-facing warning. In context, a security tool silently retrieving external content is more dangerous because users may assume analysis is passive; instead, it causes network activity and writes untrusted data to disk before inspection.

External Transmission

Medium
Category
Data Exfiltration
Content
if !offline {
        println!("Acquiring premium session via x402...");
        match payment::execute_x402_payment(
            "https://api.runtime-sentinel.dev/v1/daemon/start",
            &serde_json::json!({"features": ["egress", "process_anomaly", "file_watch"]}),
        )
        .await
Confidence
88% confidence
Finding
https://api.runtime-sentinel.dev/

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.prompt_injection_instructions

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
references/threat-model.md:33