Security audit

Grinders Farm

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real farm-game chat integration, but it needs review because it includes high-impact background automation, chat-routing persistence, unsafe plugin install guidance, and an unrelated Docker/GPU startup script.

Install only if you trust the publisher and are comfortable with an unsafe OpenClaw plugin install, local background workers, persisted chat-routing files under ~/.grinders-farm, and automated posts to bound channels. Review channel bindings before enabling auto-advance, consider setting autoStartWorkerOnGatewayBoot to false, avoid reset unless you intend to erase the farm, and do not run start.sh unless you have independently audited and need its unrelated Docker scheduler behavior.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (21)

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The plugin metadata says it mainly maps intents to a farm command, but the implementation also binds chat delivery state, sends Telegram/media replies, starts an image server, and launches background automation on gateway boot. That hidden capability expansion matters because operators may install it expecting a narrow command wrapper, while it actually performs autonomous messaging and persistent service startup.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: This code can send outbound Telegram messages with media by invoking the openclaw CLI and using delivery targets recovered from context or a persisted fallback file. For a skill described as simple intent mapping, this creates an unexpected messaging capability that could be abused to send unsolicited content or leak generated data to external chats.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: On gateway startup, the plugin can automatically launch long-running automation and an image server, which is substantially broader than command dispatch. Hidden background execution increases attack surface, persistence, and operational risk because services may run continuously without the user's active awareness.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: This code launches a detached background process via `npx tsx` based on a caller-supplied `gameRoot`, which creates persistent local execution behavior not disclosed by the skill metadata. Even if intended for convenience, spawning an unmanaged local server expands the skill's capabilities and can execute unexpected code from the target repository, increasing abuse potential if `gameRoot` is untrusted or manipulated.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The skill metadata describes intent mapping only, but the file also manages persistent state under the user's home directory and controls a background image server. That mismatch is security-relevant because users and reviewers may underestimate the skill's ability to write local files, track process state, and initiate long-lived services.

Description-Behavior Mismatch

High

Confidence: 96% confidence
Finding: The package metadata describes a pixel-art farm simulation game, while the declared skill metadata says this package maps intents to a CLI/plugin integration. That mismatch is a supply-chain trust and transparency problem: users and automated tooling may misunderstand what is being installed or executed, which can conceal unexpected behavior and reduce scrutiny. In the context of an agent skill, misleading identity increases risk because skills can trigger external binaries and plugins.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: This file implements outbound notification delivery to arbitrary external messaging targets and webchat sessions, which goes beyond the stated skill metadata of merely mapping intents to grinders_farm. That mismatch increases supply-chain and user-surprise risk because a user or reviewer could install a seemingly simple farming skill that also exfiltrates farm state to external channels.

Context-Inappropriate Capability

Medium

Confidence: 85% confidence
Finding: The code resolves and executes an external openclaw CLI and uses gateway chat injection, which are powerful side effects not justified by the manifest’s narrow description. Even if intended for notifications, invoking external tooling and session injection expands the attack surface and can be abused to send messages into sessions or channels the user did not expect.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The manifest claims this skill maps intents to grinders_farm, but the script instead generates scheduler configuration and launches a tiny_sage worker in Docker. This mismatch is dangerous because it disguises materially different behavior from users and reviewers, a common sign of deceptive or trojanized skills that may run unauthorized workloads.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The script starts a Docker container with GPU access, host IPC, and elevated runtime capabilities that are not justified by the stated purpose of simple intent mapping. Such excessive privileges expand the attack surface substantially, enabling unauthorized compute usage, data exposure through shared host resources, and execution of hidden workloads under the guise of the skill.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The file comment explicitly states that the script starts a schedule API worker, which conflicts with the manifest's grinders-farm description. This inconsistency reinforces that the skill is misrepresented and may be attempting to hide its true operational purpose from reviewers and operators.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The README explicitly instructs users to install an OpenClaw plugin using `--dangerously-force-unsafe-install`, which bypasses normal safety protections, yet provides no warning, trust guidance, or integrity verification steps. In the context of an agent skill that encourages users to extend a chat gateway with a plugin, this increases the chance that users will install unreviewed code with elevated trust, potentially enabling arbitrary code execution or compromise of the OpenClaw environment.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: A reset command is exposed in the documented command whitelist without any warning that it may irreversibly wipe or reinitialize farm state. In a conversational setting, ambiguous or maliciously induced prompts could trigger destructive actions, causing loss of progress and local state without informed user consent.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The skill documents automatic background progression every 20 minutes but does not warn users that state will continue changing after the initiating command completes. Ongoing autonomous changes increase the risk of unexpected resource consumption, unintended gameplay actions, and confusion about why local state or notifications keep updating over time.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The README explicitly instructs users to enable an auto-advancing worker and states that pushes go to all bound channels, but it does not provide a clear warning about the ongoing background behavior, scope of affected channels, or how to verify/limit where messages will be sent. In a chat-integrated plugin, this can lead to unintended persistent multi-channel actions, message spam, or disclosure of game activity into channels the operator did not fully realize were subscribed.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The plugin starts subprocess-driven automation automatically during gateway boot without interactive confirmation or a strong user-facing warning at install/use time. Even if intended for convenience, silent startup can surprise operators, consume resources, and execute actions continuously in environments where such behavior was not approved.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: Starting a detached subprocess without user-facing disclosure reduces transparency around persistent local execution and makes the action harder for users to notice or control. In this context, the process is intentionally detached and ignores stdio, so failures and unexpected behavior are obscured while the server may continue running after the invoking action completes.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The code launches a detached background process (`npx tsx ...`) and immediately unreferences it, allowing it to continue running independently of the caller. In a plugin/agent context, this can create persistence-like behavior, consume resources, and run without clear user awareness or lifecycle control, especially since it also records PID state under the user's home directory.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The code persists conversation routing metadata (channel, target, accountId, threadId) into files under the user's home directory automatically when the bridge context is available, but there is no visible consent, notice, retention control, or access restriction in this code path. Even though this is likely intended to make push delivery work, silently storing messaging metadata can expose private conversation identifiers to other local processes, backups, or later misuse.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: This path automatically derives a delivery target from inbound event data and appends it to a persistent fan-out list on disk without any user-facing confirmation. In the skill context, this increases privacy risk because merely receiving or claiming inbound messages can silently build a durable map of conversation endpoints that may later be used for unexpected notifications or exposed through local compromise.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The code always writes the rendered farm image to a predictable file in the user's home directory (`~/.grinders-farm/farm.png`) without prompting the user or allowing a caller-controlled destination. This creates an undisclosed persistent side effect, can overwrite prior content, and may expose game state or user activity to other local processes that monitor that path. In this skill context, the behavior appears functional rather than malicious, but it is still a real security/privacy concern because the write happens automatically during rendering.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical

Code: suspicious.dangerous_exec
Location: openclaw-plugin/index.ts:52

Shell command execution detected (child_process).

Critical

Code: suspicious.dangerous_exec
Location: openclaw-plugin/start-image-server.ts:63

Shell command execution detected (child_process).

Critical

Code: suspicious.dangerous_exec
Location: openclaw-plugin/start-local-auto.ts:24

Shell command execution detected (child_process).

Critical

Code: suspicious.dangerous_exec
Location: scripts/sync-skill.mjs:16

Shell command execution detected (child_process).

Critical

Code: suspicious.dangerous_exec
Location: src/local-auto.ts:26

Shell command execution detected (child_process).

Critical

Code: suspicious.dangerous_exec
Location: src/notify/openclaw-push.ts:239