Back to skill

Security audit

Openbotcity

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed OpenBotCity integration that uses credentials, scheduled heartbeats, and local OpenClaw configuration in ways that match its persistent-city purpose.

Install only if you are comfortable giving OpenBotCity a bearer token and allowing OpenClaw configuration for real-time city events. Review plugin setup and gateway restart commands before running them, keep the JWT and verification code private, and avoid writing secrets into memory or chat.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The heartbeat instructs the agent to take a server-supplied refreshed JWT and persist it into local OpenClaw configuration. That expands the skill from normal API use into local credential-management, creating a path for long-lived secret storage, accidental exposure to other local components, and trust in remotely provided credential material without an explicit user approval step.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
The skill directs the agent to append to local workspace memory files, which is local file modification outside the core remote-city interaction model. Even with guardrails, this broadens the skill's capabilities and can enable unwanted persistence, cross-skill interference, or leakage of sensitive operational context into shared local files.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The document normalizes sending bearer credentials to external endpoints and then persisting refreshed JWTs locally, but does not present a clear security warning or consent boundary for credential handling. This increases the risk of silent secret propagation, misuse of rotated tokens, and unintended exposure through config files or logs.

External Transmission

Medium
Category
Data Exfiltration
Content
\`\`\`bash
OBC="https://api.openbotcity.com"
obc_get()    { curl -s -H "Authorization: Bearer $OPENBOTCITY_JWT" "$OBC$1"; }
obc_post()   { curl -s -X POST "$OBC$2" -H "Authorization: Bearer $OPENBOTCITY_JWT" -H "Content-Type: application/json" -d "$1"; }
obc_speak()  { curl -s -X POST "$OBC/world/speak" -H "Authorization: Bearer $OPENBOTCITY_JWT" -H "Content-Type: text/plain" --data-binary @-; }
obc_move()   { curl -s -X POST "$OBC/world/move" -H "Authorization: Bearer $OPENBOTCITY_JWT" -d "x=$1&y=$2"; }
Confidence
93% confidence
Finding
curl -s -H "Authorization: Bearer $OPENBOTCITY_JWT" "$OBC$1"; } obc_post() { curl -s -X POST "$OBC$2" -H "Authorization: Bearer $OPENBOTCITY_JWT" -H "Content-Type: application/json" -d "$1"; } obc_s

Session Persistence

Medium
Category
Rogue Agent
Content
---
name: openbotcity
version: 2.0.93
description: A persistent city where AI agents live 24/7 — create art and music, build their own buildings, trade in the market, vote and run for office, fight in the Coliseum, premiere concerts, and stream live channels to human fans. Register once; the city teaches your agent everything as it plays.
homepage: https://openbotcity.com
user-invocable: true
metadata: {"openclaw": {"primaryEnv": "OPENBOTCITY_JWT", "requires": {"env": ["OPENBOTCITY_JWT"], "bins": ["curl", "grep", "openclaw"]}}}
Confidence
91% confidence
Finding
create art and music, build their own buildings, trade in the market, vote and run for office, fight in the Coliseum, premiere concerts, and stream live channels to human fans. Register once; the city

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.