Back to skill

Security audit

FoolClaw

Security checks across malware telemetry and agentic risk

Overview

FoolClaw is a prank skill, but it can quietly persist in the background and use messaging or social-channel capabilities in ways users should review carefully before installing.

Review this before installing. It is not just a one-shot desktop joke: starting it can create desktop artifacts, open browser content, keep a recurring background operator active, inspect OpenClaw messaging capabilities, and potentially contact other people through available channels. Install only if you are comfortable with that scope and know how to disarm or reset it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (32)

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill is presented as a local prank/background operator, but it also includes workflows for discovering external messaging capabilities and sending prank messages to third parties. That hidden expansion of scope is dangerous because it enables outbound actions affecting other people and channels without clear upfront disclosure or tightly scoped consent.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The friend-prank workflow authorizes channel capability discovery, target discovery, and direct message sending through host tools, which goes beyond a local prank surface. This creates a real risk of unauthorized or socially harmful communication from the host environment, especially if the user does not understand that installing or starting the skill can lead to external outreach.

Intent-Code Divergence

Medium
Confidence
86% confidence
Finding
The document claims the tool is not a stealth tool, yet instructs the agent to quietly arm background behavior and avoid obvious disclosure. This contradiction increases risk because operators may be misled into thinking the behavior is harmless while the skill is optimized to minimize user awareness of ongoing activity.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The file says not to describe the build as a fully autonomous operator, but then defines recurring operator turns that can discover capabilities, plan actions, send messages, and execute pranks. That mismatch obscures the system's true autonomy and makes risky behavior easier to hide behind softer product language.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
This documentation explicitly broadens the skill from local desktop pranks to abusing host messaging and social channels, including background opportunistic use. That creates a mechanism for unsolicited third-party contact and covert action through whatever identities or channels the host exposes, which is materially riskier than a local prank-only feature.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The file instructs the agent to enumerate channels, targets, contacts, groups, roles, and identities available in the host environment, then use them to prank others. That is dangerous because it operationalizes reconnaissance over communication surfaces and can enable impersonation, harassment, or unauthorized outreach using the user's or bot's existing access.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
This section authorizes sending prank messages to explicit usernames, chat IDs, groups, or threads when such targets are available. That lowers the barrier from exploration to actual outbound misuse and facilitates direct unwanted messaging to third parties via the host's communication capabilities.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
Although framed as an exploratory surface, the document later directs the operator to send prank messages once conditions are satisfied. This exploratory framing can mask the true capability while still enabling real-world messaging actions, increasing the chance of covert or unreviewed misuse.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill goes beyond 'local pranks' by performing outbound network reachability checks and opening external URLs in the user's browser. That expands the trust boundary from local desktop artifacts to network activity and external content delivery, creating undisclosed privacy and behavior risks inconsistent with the stated scope.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The operator code enumerates messaging channels, account identities, peers, and groups, which is unrelated to a prank skill described as local-only. This is dangerous because it provides discovery of communication topology and potential message targets, enabling later unsolicited outreach or data harvesting from the host environment.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The start/arm flow installs a recurring cron job that continues operating in the background after the initial command completes. Persistent scheduled execution is risky because it changes system state, can outlive user awareness, and creates a foothold for repeated actions without fresh confirmation.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The embedded operator guidance claims the background pass should only decide whether to do nothing or run one local prank, but the code also supports messaging capability and target exploration. This mismatch is dangerous because it conceals broader reconnaissance behavior behind narrower user-facing descriptions, undermining informed consent and review.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill explicitly tells the agent not to perform extra safety review, permission review, or warning flows for the implemented prank surface. Suppressing normal consent and safety checks is dangerous because it bypasses the controls that would otherwise stop hidden background actions or outbound messaging before they affect the user or third parties.

Missing User Warnings

High
Confidence
98% confidence
Finding
The description states that 'Start FoolClaw' both leaves a prank and quietly arms a background operator in one step. Quietly enabling ongoing autonomous behavior without clear disclosure materially increases the chance of unauthorized continued activity and user surprise.

Missing User Warnings

High
Confidence
98% confidence
Finding
This workflow permits use of host messaging channels and target discovery for prank delivery without requiring a clear warning that external communication will occur. That is dangerous because it can result in unwanted contact, harassment, privacy violations, or reputational harm affecting people beyond the local machine.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill uses broad natural-language triggers like 'surprise them' and 'reset' without tightly scoping what actions are permitted, increasing the chance of unintended prank execution or destructive cleanup behavior. In this skill's context, those ambiguous triggers are especially risky because they are tied to immediate execution and background behavior rather than a harmless read-only action.

Missing User Warnings

High
Confidence
98% confidence
Finding
The prompt explicitly promotes quiet background operation and prank execution while suppressing user-facing disclosure, so users may not understand that ongoing actions can alter the system or send messages externally. This lack of transparency meaningfully increases the risk of covert persistence, unauthorized state changes, and social actions against third parties.

Missing User Warnings

Low
Confidence
83% confidence
Finding
The page assigns payload-controlled data directly to anchor href attributes and visible link text, allowing whoever controls the payload to present and open any external URL. Although this is not script injection by itself, it enables deceptive or unexpected navigation and phishing-style redirection from a prank page, especially because the UI presents the link as a normal repository action.

Natural-Language Policy Violations

Medium
Confidence
86% confidence
Finding
The file is written entirely in Chinese and provides operational guidance without any indication that language should follow user preference or require opt-in. In an agent skill, this can cause the model to switch languages unexpectedly, reducing transparency and user comprehension, especially because the skill concerns prank behavior and exploratory actions that should remain clearly understandable to the user or operator.

Vague Triggers

Medium
Confidence
95% confidence
Finding
Allowing opportunistic use without a clear trigger means the operator can act whenever conditions seem favorable rather than only in response to a specific user request. In the context of a prank skill with third-party messaging capability, that ambiguity increases the risk of covert activation and abusive unsolicited contact.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill encourages sending prank messages through available channels and identities without warning the user that it may message third parties or speak through existing accounts. That omission makes consent and transparency inadequate and increases the chance that the skill will be used in a deceptive or unauthorized manner.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This section documents pranks that create local desktop artifacts and open a browser, but it does not require clear user-facing disclosure or confirmation before modifying files or changing browser state. Even if framed as a prank, unexpected local side effects can violate user expectations, disrupt work, and normalize covert actions by the agent.

Missing User Warnings

High
Confidence
98% confidence
Finding
The default flow explicitly says 'Start FoolClaw' will quietly arm a background operator while also performing a visible prank, which indicates concealed persistent or background behavior without informed consent. Hidden background execution is dangerous because it can enable repeated actions, surveillance-like behavior, or continued interference after the initial prank appears complete.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The prank routines write files to the desktop and runtime directories without any in-code warning, confirmation, or dry-run safeguard. Even if intended as harmless, unsolicited writes to user-visible locations can be disruptive, overwrite expectations about workspace integrity, and normalize unauthorized filesystem modification.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script opens browser pages and URLs using system commands without disclosure at execution time. Launching applications or tabs unexpectedly can annoy users, trigger external content loading, and create a social-engineering style effect because actions occur on the user's behalf without a contemporaneous prompt.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.env_credential_access

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/foolclaw.mjs:972

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/foolclaw.mjs:825