ClawHub

OpenClaw Security Audit

Security checks across malware telemetry and agentic risk

Overview

This is a local OpenClaw security tool with no external data transfer shown, but it handles real credentials and understates where those secrets are saved or persisted.

Install only if you are comfortable with a local Python tool reading and modifying your OpenClaw configuration. Before running harden.py, understand that ~/.openclaw/.env, security-backups, and persistent environment settings may contain real secrets; keep those files out of source control and synced folders, restrict permissions, review generated scripts before running them, and rotate credentials if any generated files are exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The tool automatically writes a security report into the scanned OpenClaw directory, and that report includes sensitive file paths plus partially masked credential-related matches. If the OpenClaw directory is shared, backed up, committed, or exposed through another service, the report can become a secondary disclosure source that helps attackers identify secrets and target files.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The tool generates PowerShell and shell scripts that load secrets from a .env file into the user's environment, including persistent user-level variables on Windows, but the generated scripts themselves provide only limited warning about the security implications. This can lead users to unknowingly persist credentials in places accessible to other local processes, shells, logs, or profile files, increasing accidental exposure risk.

Session Persistence

Medium
Category
Rogue Agent
Content
echo "Exported $name"
    done < "$ENV_FILE"
    echo "Environment variables set for this session."
    echo "To make permanent, add to ~/.bashrc or ~/.zshrc"
else
    echo "Error: .env file not found at $ENV_FILE"
    exit 1
Confidence
89% confidence
Finding
add to ~/.bashrc

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal