Back to skill

Security audit

Darkhunt Observability

Security checks across malware telemetry and agentic risk

Overview

This observability plugin does what it advertises, but it can expose more agent content, tool data, user identity, and saved credentials than its safe-mode wording suggests.

Install only if you intentionally want OpenClaw activity sent to Darkhunt or another OTLP endpoint you trust. Keep payload_mode as metadata, avoid debug/full for sensitive conversations, treat ~/.openclaw/openclaw.json as containing secrets, and assume tool commands, file paths, fetched content snippets, user/channel identifiers, and some prompt snippets may appear in telemetry or logs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (33)

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The discovery hook mechanism subscribes to a wide range of event types and emits spans built from the full evt and ctx objects, which can capture unrelated operational, user, tool, memory, and error data without minimization. In an observability/instrumentation component this broad collection materially increases the chance of over-collection of sensitive data and unintended cross-context telemetry leakage.

Intent-Code Divergence

Low
Confidence
83% confidence
Finding
The code acknowledges it cannot reliably associate discovery events with the proper parent span, yet still emits spans containing all event/context data. That creates a telemetry integrity and privacy problem: sensitive data can be recorded in standalone traces divorced from the correct execution context, making accidental exposure and misleading observability more likely.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The debug-only discovery path performs broad API/runtime introspection, enumerates object properties, and logs method source snippets and object contents. In an observability plugin that already handles session, transcript, config, and runtime data, this materially increases the chance of exposing secrets, internal APIs, tokens, and user content through logs beyond the plugin’s stated telemetry purpose.

Intent-Code Divergence

Low
Confidence
85% confidence
Finding
The UI help text labels full payload export as 'recommended' even though it exports complete content, which can nudge operators toward maximum data disclosure. In a telemetry/export plugin, this is a risky default recommendation because it can cause unnecessary transmission of prompts, outputs, tool data, or other sensitive material to an external service.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The code explicitly treats parameters for allowlisted tools as safe to include, but those parameters can contain sensitive operational data such as shell commands, file paths, search terms, URLs, tokens embedded in URLs, or user-supplied secrets. In a telemetry/payload-building context, this can cause unintended disclosure of confidential data into logs, traces, or downstream systems even when the tool itself is trusted.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The function removes SECURITY NOTICE and external-untrusted-content boundary markers from fetched content before returning it. Those markers are part of the trust-boundary signaling that warns downstream consumers that the text is untrusted; stripping them increases the risk of prompt injection, unsafe instruction following, or misclassification of external content as trusted internal data.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The discovery-event helper copies arbitrary evt/ctx fields into telemetry attributes immediately, including non-scalar values serialized to JSON. Even with truncation, this can exfiltrate sensitive runtime context, secrets, tokens, prompts, or personal data into external observability systems without a schema allowlist or robust redaction.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
This fixture includes production-like telemetry containing user/session identifiers, Slack metadata, internal file paths, and full system prompts. Even in a test fixture, retaining real or real-looking sensitive trace data creates unnecessary data exposure and can leak internal policies, agent capabilities, and personal metadata to developers, test runners, or downstream consumers.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README clearly states that the plugin exports real-time agent telemetry to an external service, including tool usage, decisions, timing, and costs, and elsewhere documents modes that can include conversation content. In an agent/plugin context this is security-relevant because operators may deploy it without fully appreciating that potentially sensitive prompts, outputs, and workflow metadata can leave the local environment.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
`serializeConfig` writes `config.headers` directly into a plain object intended for persistence to `openclaw.json`. Since `buildHeaders` can populate this field with sensitive values such as `Authorization`, `X-Workspace-Id`, and `X-Application-Id`, the code can persist secrets to disk in cleartext, increasing exposure through local file reads, source control commits, backups, or logs.

Missing User Warnings

High
Confidence
98% confidence
Finding
The messageIn handler logs raw sender identifiers, account/channel IDs, metadata, timestamps, and internal buffer identifiers. Those values can contain PII, channel/thread identifiers, and message metadata that often end up in centralized logs with broader access and longer retention than the source system.

Missing User Warnings

High
Confidence
99% confidence
Finding
The llmInput handler logs the prompt type, length, and the first 400 characters of the prompt. Prompts frequently contain user messages, secrets, credentials, internal instructions, or regulated data, so logging them creates a direct confidentiality risk and can leak high-value content into log infrastructure.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The toolStart handler serializes and logs tool parameters, which may include credentials, API inputs, user data, or file/query contents. Because tool arguments often mirror privileged downstream actions, exposing them in logs can reveal sensitive business data and enable replay or abuse.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The toolEnd handler logs that a result exists and its size, and stores the full result for downstream buffering; in many tool ecosystems results contain retrieved documents, API responses, tokens, or personal data. Even when not printing the full content here, this instrumentation pattern normalizes capture of potentially sensitive outputs and increases leakage risk through telemetry and adjacent logging/debug paths.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The transcript update handler serializes and logs transcript event payloads in debug mode, which can directly expose user messages, model outputs, and session metadata in plain logs. Because transcript data commonly contains secrets or regulated content, even truncated logging can create a significant confidentiality risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The deep introspection code logs runtime, config, source, and API object details, including values and object keys that may contain credentials, endpoints, environment details, or user-linked data. This exceeds normal debugging needs and can leak sensitive internals into logs where access controls and retention may be weaker than primary data systems.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This code transmits collected log records to a remote endpoint via OTLP using a configured URL and headers, but there is no user-facing notice, consent, redaction, or policy enforcement in this component. Logs often contain sensitive data such as prompts, tokens, identifiers, stack traces, or user content, so silent network export can create an unintended data exfiltration path if the endpoint is misconfigured, third-party, or attacker-controlled.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The implementation includes parameters for allowlisted tools in payloads, including in metadata/debug modes, without any evidence of user disclosure or consent gating. Because these parameters may contain commands, paths, URLs, or queries, the skill context makes this more dangerous: this file is specifically designed to package and propagate observation data, so exposure is systematic rather than incidental.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code includes results from allowlisted tools in payloads across modes, which can expose fetched pages, file contents, command output, or processed data to telemetry sinks without user-facing notice. In this context, the payload helper is central infrastructure, so any over-collection propagates broadly and can leak sensitive content from many workflows.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The identity parsing logic collects email, full name, display name, username, and user IDs from metadata and prompt content. This is a genuine privacy/security issue because it aggregates personally identifiable information into a payload-processing path, increasing the chance of unnecessary storage, correlation, and downstream leakage without any visible minimization or disclosure controls in this file.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code adds `process.owner` to telemetry using `processOwner ?? os.userInfo().username`, which can disclose the local account name to telemetry backends. Usernames are identifying metadata and may reveal personal or internal naming information; if telemetry is exported to third-party services or shared across environments, this creates an avoidable privacy and information-disclosure risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This buffer stores shared user identities, channel identities, account IDs, and user message content at module scope and later emits spans containing that data. In a telemetry component, capturing and propagating potentially sensitive content and identifiers without visible minimization, consent, or strict isolation increases the risk of privacy leakage, cross-session data mix-ups, and unintended disclosure to downstream observability systems.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The agent span records user identifiers and related identity metadata into tracing attributes, which may be exported to third-party telemetry backends. This creates a privacy and data-minimization risk because identifiers are persisted and propagated beyond the operational need of tracing unless there is strong consent, retention control, and access restriction elsewhere.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code serializes generation input/output and conversation content directly into span attributes, which can include secrets, proprietary prompts, customer messages, or regulated data. Observability platforms often have broad retention and analyst access, so capturing raw content materially increases confidentiality and compliance exposure.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The discovery hook copies arbitrary event and context data into span attributes, including JSON-serialized objects, making it easy to leak sensitive application state, authentication material, request context, or user data. Because the source objects are generic and not schema-constrained, this is more dangerous than ordinary telemetry fields and can silently broaden data exposure over time.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.