ClawHub
Back to skill

Security audit

Openclaw Cat

Security checks across malware telemetry and agentic risk

Overview

This is a coherent cat-roleplay skill that uses a configured LLM API for its stated purpose, with privacy and endpoint-trust considerations users should understand.

Install only if you are comfortable storing an LLM API key in `config.json` and sending generated cat prompts, cat name, and cat profile details to the chosen provider. Leave `base_url` empty unless you trust the endpoint, consider using a dedicated API key with spending limits, and prefer `/cat` if you want to avoid accidental natural-language activation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill documentation and metadata describe behavior that reads and writes local files (`config.json`, `.cat_cache.json`) and sends prompts to external model providers, but no permissions are declared. This creates a transparency and governance gap: users or host platforms may not realize the skill has filesystem and network capabilities, increasing the risk of over-privileged or unexpected behavior.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill permits a config-supplied base_url to override the default LLM endpoints for multiple providers, enabling arbitrary outbound HTTP requests with the API key in headers and prompt content in the body. For a simple cat-roleplay skill, this expands its network capability beyond the stated purpose and could be abused for data exfiltration or SSRF-like access to internal services if an attacker can modify configuration.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The README advertises broad natural-language activation phrases such as asking what the cat is doing, which can overlap with ordinary conversation and cause the skill to trigger unintentionally. In an agent environment, overly broad triggers can expand the skill's execution surface and lead to unexpected model calls or behavior without clear user intent.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The README highlights multi-model/API support and API-key configuration but does not clearly warn that user prompts and related content may be transmitted to third-party model providers. This can create a privacy and data-handling risk because users or deployers may not realize their inputs are leaving the local environment.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger definition is broad enough to activate on ordinary conversation about a cat, not just an explicit command. That can cause unintended invocation, leading to unexpected external API calls, disclosure of user text to third-party model providers, and confusing behavior in normal chat contexts.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs users to configure an API key and optional base URL for external LLM providers, but it does not clearly warn that user prompts may be transmitted off-platform to those third parties. In this context, that omission is security-relevant because the skill’s core function is to relay user input to remote services, so users may unknowingly expose sensitive conversational content.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill sends config-derived content such as cat name, generated attributes, time context, and prompt template content to third-party LLM APIs without any clear consent or warning in the execution flow. Even if the data seems low sensitivity here, silent external transmission is a privacy and trust issue, and the prompt template may include more sensitive user-authored content.

External Transmission

Medium
Category
Data Exfiltration
Content
"max_tokens": 500
    }

    response = requests.post(url, headers=headers, json=data, timeout=60)
    response.raise_for_status()
    result = response.json()
Confidence
90% confidence
Finding
requests.post(url, headers=headers, json=

External Transmission

Medium
Category
Data Exfiltration
Content
"max_tokens": 500
    }

    response = requests.post(url, headers=headers, json=data, timeout=60)
    response.raise_for_status()
    result = response.json()
Confidence
90% confidence
Finding
requests.post(url, headers=headers, json=

External Transmission

Medium
Category
Data Exfiltration
Content
"max_tokens": 500
    }

    response = requests.post(url, headers=headers, json=data, timeout=60)
    response.raise_for_status()
    result = response.json()
Confidence
90% confidence
Finding
requests.post(url, headers=headers, json=

External Transmission

Medium
Category
Data Exfiltration
Content
"max_tokens": 500
    }

    response = requests.post(url, headers=headers, json=data, timeout=60)
    response.raise_for_status()
    result = response.json()
Confidence
90% confidence
Finding
requests.post(url, headers=headers, json=

External Transmission

Medium
Category
Data Exfiltration
Content
]
    }

    response = requests.post(url, headers=headers, json=data, timeout=60)
    response.raise_for_status()
    result = response.json()
Confidence
90% confidence
Finding
requests.post(url, headers=headers, json=

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal