Security audit

OpenClaw Usage Manager

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says, but it handles Claude account tokens, can automatically change the active OpenClaw account, and can terminate local processes, so it needs user review before installation.

Install only if you intentionally want a local tool that can use both Claude account tokens and change OpenClaw's active Anthropic account. Review the scripts first, protect or avoid tokens.json, back up auth-profiles.json, test manually before enabling cron, and remove the automatic port-kill behavior if port 18800 may be used by other software.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (5)

Context-Inappropriate Capability

High

Confidence: 95% confidence
Finding: The server includes host-level process termination logic that is unrelated to its core function of serving a local usage dashboard. On startup error, it runs a shell pipeline to find and kill any process using the configured port, which can terminate unrelated local software and creates unnecessary command-execution risk in a component that handles credentials.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The code executes a process-killing shell command automatically and without confirmation when the port is in use. Even though it is not directly remote-triggerable under normal conditions, it can disrupt the host environment by killing unrelated processes and normalizes dangerous side effects in a dashboard utility.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The script silently rewrites the active auth profile token, changing which account subsequent agent operations will use without confirmation or audit controls. In an agent-skill context, this can alter identity, billing source, quotas, and access boundaries in a way that is easy for a user to miss.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The script persists API tokens to a local JSON file without clearly warning the user that long-lived credentials will be stored on disk. Even though it later applies `chmod 600`, plaintext secret storage increases the risk of credential exposure through backups, disk compromise, terminal misunderstanding, or accidental inclusion in other tooling.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The script retrieves API tokens from 1Password and persists them in plaintext to ~/.openclaw/workspace/tools/usage-switch/tokens.json. Even though chmod 600 is applied afterward, storing long-lived credentials on disk increases exposure to local compromise, backups, accidental disclosure, and misuse by other local processes running as the same user.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal