Back to skill

Security audit

Fox Openclawmp

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate OpenClaw marketplace helper, but users should handle credentials carefully and review what they publish or install.

Install only if you trust this publisher and the openclawmp.cc service. Keep OPENCLAWMP_TOKEN and credential files private, avoid shared shell history or logs, review local directories before publishing, avoid --yes until you know what will be uploaded, and install marketplace assets only from publishers you trust.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (5)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill instructs users to export an API token into an environment variable without adjacent guidance on secret handling, shell history exposure, process inheritance, CI log leakage, or secure storage. In a marketplace/agent context, this increases the chance that long-lived credentials are accidentally exposed to other tools, subprocesses, or logs.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The document presents destructive account-deletion commands and APIs without an immediate, prominent warning at the command location about irreversibility and required user confirmation. In an agent skill, terse destructive instructions can be followed mechanically, causing permanent loss of access and revocation of credentials.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README instructs users to publish local asset directories and notes that device identity is used for publishing, but it does not clearly warn that publishing may upload local project contents, metadata, and identifying information to a remote marketplace. In a CLI that handles local directories and remote publication, this omission can lead to accidental disclosure of sensitive files or user/device identity, especially if users do not understand what is packaged and transmitted.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code persists the auth token to ~/.openclawmp/auth.json in plaintext using default file permissions and without any hardening, encryption, or permission checks. On multi-user systems or in environments with lax umask settings, this can expose long-lived API credentials to other local users, backup systems, or malware that can read the file.

Credential Access

High
Category
Privilege Escalation
Content
> `POST /api/auth/register` 已废弃(410 Gone)。所有注册统一走 qualify → OAuth 流程。

凭证查找优先级:`OPENCLAWMP_TOKEN` 环境变量 → `~/.openclawmp/credentials.json`

### 账号管理
Confidence
88% confidence
Finding
credentials.json

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/lib/commands/install.js:55

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/lib/commands/publish.js:271