Back to skill

Security audit

Openclaw Auto Recovery

Security checks across malware telemetry and agentic risk

Overview

The skill matches its OpenClaw monitoring purpose, but it installs an always-on recovery daemon that stores secrets, restarts services, edits OpenClaw config, and executes config files as shell code.

Install only if you intentionally want an always-on OpenClaw recovery service. Review the scripts first, use only config files you created and trust, keep config.env restricted, avoid --config paths from other users or downloads, and understand that the daemon may restart Gateway and roll back OpenClaw config automatically.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrases are broad operational terms such as '服务器告警', '健康检查', and '自动重启', which can overlap with many normal infrastructure conversations. This raises the risk of accidental invocation of a skill that can deploy daemons, modify configs, and restart services, making benign requests unexpectedly lead to impactful system changes.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The document explicitly lists sensitive credentials (Feishu App Secret and Gateway token) and shows how to retrieve them, but provides no warning about secret handling, storage permissions, redaction, or log/terminal exposure. In an infrastructure auto-recovery skill, these secrets can grant access to messaging APIs and gateway control, so encouraging retrieval without safety guidance increases the chance of credential leakage and unauthorized system actions.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script uses `source` on a user-provided config file, which executes arbitrary shell code rather than merely parsing key/value settings. Because the loaded variables then control file writes, service restarts, and outbound alerts, a malicious or tampered config can achieve code execution and trigger destructive side effects under the user's account.

Missing User Warnings

High
Confidence
99% confidence
Finding
The script uses `source` on a user-supplied or previously stored config file, which executes arbitrary shell code in the current process rather than parsing key/value data safely. In this skill context, the installer is explicitly meant to run on user infrastructure and may be invoked with `--config`, so a malicious or tampered config file can achieve code execution under the user's account during installation.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script writes sensitive values such as Feishu app secrets and gateway tokens to `~/.config/infra-heartbeat/config.env` without an explicit warning that credentials will be persisted on disk. Although `chmod 600` reduces exposure, storing long-lived secrets locally still increases the risk of credential theft from backups, compromised user accounts, or accidental disclosure.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.