ClawHub

Clawd Zero Trust

Security checks across malware telemetry and agentic risk

Overview

This is a real OpenClaw hardening skill, but it also applies broad privileged settings and immediate firewall exceptions that users should review before installing.

Install only if you are comfortable with a skill that can change firewall policy and OpenClaw runtime authority. Before applying, review hardening.json, especially tools.exec, tools.elevated, and the Telegram allowFrom entry; remove any provider domains you do not need; avoid whitelist.sh unless you have reviewed the destination and port; and run audit/dry-run modes with a firewall and OpenClaw config backup available.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (17)

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The README explicitly states that the hardening profile preserves `tools.exec` with `security: full`, `ask: off`, and enables `tools.elevated`, which undermines the stated Zero Trust posture by retaining powerful local execution without approval gates. In an AI agent context, prompt injection, plugin compromise, or model misbehavior could directly translate into arbitrary host command execution, making the documentation itself a signal that the skill intentionally leaves a high-risk execution path open.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The file first prohibits self-update actions without explicit approval, then later mandates a canned update proposal containing exact commands to run, including `openclaw update`. This contradiction creates operator confusion and increases the chance that unsafe update guidance is surfaced during unrelated interactions, undermining the stated safety control.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The allowlist includes consumer/media domains such as YouTube-related hosts alongside broader third-party services that are not clearly necessary for Zero Trust hardening of an OpenClaw deployment. In a security-hardening skill, unnecessary egress destinations weaken the trust boundary, increase attack surface, and can enable covert data exfiltration or unreviewed plugin/service communication under the guise of approved traffic.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
Allowlisting a test/local-style destination like 'testing.local' is inconsistent with a production-oriented Zero Trust hardening policy. Such entries can create policy bypass opportunities, permit unintended internal name resolution targets, and make exfiltration or lateral movement harder to detect because the destination appears pre-approved.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The configuration explicitly enables elevated tooling and also disables execution prompts via `ask: off`, which creates a path for high-risk actions without meaningful interactive approval. In a skill marketed as Zero Trust hardening, this is especially dangerous because operators may assume stronger controls than are actually enforced, increasing the chance of unauthorized or over-broad privileged execution.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
Setting PLP mode to `graceful` weakens least-privilege enforcement by implying the system may continue operating when policy constraints are incomplete or not strictly met. For a Zero Trust hardening skill, this undermines the stated security posture and can permit broader access than intended during bootstrap or policy gaps.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Granting `web_search` and `web_fetch` to a provider profile in a hardening-focused configuration expands outbound data access and attack surface without clear justification tied to system hardening. These capabilities can be abused for unneeded external communication, data exfiltration, or retrieval of untrusted content in a context that should favor minimization.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The script advertises a zero-trust policy sync but only writes restrictions for one hard-coded Gemini model entry while explicitly leaving other providers untouched. In a security-hardening skill, this creates a misleading enforcement gap: operators may believe tool restrictions are broadly applied when Claude or other configured models remain unrestricted, enabling policy bypass through model selection.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This script directly weakens egress restrictions by appending arbitrary domain/port pairs to the provider allowlist and immediately applying them with a forced firewall refresh. In a skill marketed as Zero Trust hardening, adding an unrestricted exception mechanism is especially dangerous because it creates an easy path to bypass outbound controls and exfiltrate data or reach attacker infrastructure.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The comments explicitly describe 'punctur[ing] the Zero Trust proxy' while presenting the script as part of Zero Trust hardening, which normalizes and conceals security-reducing behavior. Misleading security documentation increases the likelihood that operators will run a bypass tool believing it is protective, resulting in unsafe configuration changes.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The script lets a user grant arbitrary egress exceptions by supplying any domain and port, then applies that change to the firewall configuration with elevated privileges. In the context of a security-audit/hardening skill, this capability is unjustified and materially increases attack surface by enabling outbound access that may defeat segmentation, plugin isolation, or data-loss controls.

Natural-Language Policy Violations

Medium
Confidence
96% confidence
Finding
Documenting and preserving host tool execution with full security and no approval normalizes an unsafe operating mode for deployments that may assume this skill enforces least privilege. In the context of a security-hardening skill, this is more dangerous than usual because operators may trust the skill's Zero Trust branding and unknowingly deploy an agent with unrestricted execution capability still enabled.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The description says the skill triggers on broad categories like security audit requests, vulnerability analysis, and post-deployment reviews. Over-broad routing can cause this skill to activate in contexts where firewall changes, root-requiring guidance, or update-policy instructions are irrelevant or harmful.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation presents `--apply`, `--canary`, `--reset`, and `--refresh` as normal workflow steps but does not prominently warn that these operations can interrupt network access, lock out services, or sever remote administration. In a security-hardening skill, that omission is especially risky because users may assume the actions are safe defaults.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The dynamic whitelisting helper is described as user-friendly and states it "instantly applies" changes to UFW, but it does not clearly foreground that running it immediately changes active firewall policy. That can lead to accidental exposure or breakage, especially if users treat it as a harmless config-edit helper.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The elevated access policy appears to trust requests originating from the `telegram` plugin for a specific numeric identifier, but the authorization semantics and binding strength are unclear. Ambiguity around how identity is verified or when the allow rule is triggered can lead to privilege escalation if the source identity is spoofed, mis-bound, or interpreted too broadly.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script modifies a persistent configuration file and triggers a privileged firewall update immediately, without any confirmation prompt, dry-run mode, or warning about the security consequences. This raises the risk of accidental or socially engineered policy changes that could silently weaken network controls.

VirusTotal

41/41 vendors flagged this skill as clean.

View on VirusTotal