Back to skill

Security audit

ClawSentry

Security checks across malware telemetry and agentic risk

Overview

ClawSentry looks like a real OpenClaw security-plugin installer, but it handles login tokens, a persistent device fingerprint, plugin API credentials, and service changes with enough under-protected local persistence to warrant review.

Install only if you trust the ClawSentry/Volcengine service and are comfortable enrolling this OpenClaw host with an external authorization service. Expect the installer to send a device fingerprint, store activation state locally, install or replace the claw-sentry plugin, write API-key configuration, allow the plugin conversation access, and restart the OpenClaw gateway. Run it in a controlled environment first and inspect or remove the .state login files and logs after setup.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill’s stated purpose is plugin installation/configuration, but the documented behavior also performs device fingerprinting, creates remote login tokens, and enrolls the host with an external authorization service. This expands the trust boundary and collects persistent identifiers, creating privacy and supply-chain risk that is not clearly reflected in the top-level manifest description.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The 'Limited Scope' claim is inaccurate because the documented workflow also restarts the OpenClaw gateway, which is a service-affecting system change beyond merely editing plugin config and temporary state files. Misstating operational impact can cause administrators to run the skill without anticipating disruption or broader system modification.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script goes beyond local plugin installation by creating remote login tokens, polling a remote identity service, and using the returned data to configure the plugin automatically. In a security-plugin installer context, this is risky because it introduces external trust dependencies, remote account linking, and server-driven configuration without clear validation or minimization, expanding the attack surface well beyond expected local setup.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code derives a persistent device fingerprint from the machine ID and sends it to external services as the X-Ai-Device-Fingerprint header. Persistent hardware-linked identifiers enable cross-session tracking and create privacy and correlation risks, especially when tied to login/token workflows for a security-related plugin.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The logging setup writes login workflow activity to a local state log, and elsewhere the script logs full API responses and login URLs while persisting login state to disk. Those records can expose tokens, endpoints, identities, and configuration secrets to other local users, backup systems, or later malware, enabling account takeover or unauthorized plugin enrollment.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script saves login state containing sensitive workflow data to local files without any explicit warning, consent, or protective handling. Even if intended for convenience, silent persistence of login artifacts increases the chance of token leakage through local file access, backups, crash reports, or shared workstations.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script transmits a persistent device fingerprint to remote endpoints without explicit notice or opt-in. In the context of a plugin installer, that data collection is more dangerous because users may reasonably expect installation/configuration behavior, not durable device tracking tied to authentication workflows.

Session Persistence

Medium
Category
Rogue Agent
Content
The skill uses a bundled CommonJS script (`bundle.cjs`) for installation. This script is executed directly and supports two explicit phases:

- **Phase 1 (`--phase init`)**: Install plugin, create login token, print the product authorization activation page link, save local state, and return quickly.
- **Phase 2 (`--phase finalize`)**: Read the saved state, perform a short polling window, and finish writing OpenClaw plugin configuration if platform login and activation are complete.

If the script is run without `--phase`, it automatically chooses:
Confidence
90% confidence
Finding
Read the saved state

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/bundle.cjs:1238