Security audit

Fox Openclawmp

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate OpenClaw marketplace helper, but users should handle credentials carefully and review what they publish or install.

Install only if you trust this publisher and the openclawmp.cc service. Keep OPENCLAWMP_TOKEN and credential files private, avoid shared shell history or logs, review local directories before publishing, avoid --yes until you know what will be uploaded, and install marketplace assets only from publishers you trust.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (5)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill instructs users to export an API token into an environment variable without adjacent guidance on secret handling, shell history exposure, process inheritance, CI log leakage, or secure storage. In a marketplace/agent context, this increases the chance that long-lived credentials are accidentally exposed to other tools, subprocesses, or logs.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The document presents destructive account-deletion commands and APIs without an immediate, prominent warning at the command location about irreversibility and required user confirmation. In an agent skill, terse destructive instructions can be followed mechanically, causing permanent loss of access and revocation of credentials.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The README instructs users to publish local asset directories and notes that device identity is used for publishing, but it does not clearly warn that publishing may upload local project contents, metadata, and identifying information to a remote marketplace. In a CLI that handles local directories and remote publication, this omission can lead to accidental disclosure of sensitive files or user/device identity, especially if users do not understand what is packaged and transmitted.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The code persists the auth token to ~/.openclawmp/auth.json in plaintext using default file permissions and without any hardening, encryption, or permission checks. On multi-user systems or in environments with lax umask settings, this can expose long-lived API credentials to other local users, backup systems, or malware that can read the file.

Credential Access

High

Category: Privilege Escalation
Content: > `POST /api/auth/register` 已废弃（410 Gone）。所有注册统一走 qualify → OAuth 流程。凭证查找优先级：`OPENCLAWMP_TOKEN` 环境变量 → `~/.openclawmp/credentials.json` ### 账号管理
Confidence: 88% confidence
Finding: credentials.json

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical

Code: suspicious.dangerous_exec
Location: scripts/lib/commands/install.js:55

Shell command execution detected (child_process).

Critical

Code: suspicious.dangerous_exec
Location: scripts/lib/commands/publish.js:271