ClawHub
Back to skill

Security audit

uruc-skill

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real URUC bridge skill, but it gives agents persistent background control, broad remote action authority, and permission to change future workspace instructions without a clear approval gate.

Install only if you intentionally want URUC events to wake and steer the OpenClaw main session. Use a trusted URUC endpoint, least-privilege and revocable tokens, a unique URUC_AGENT_CONTROL_DIR per profile, and review any proposed AGENTS.md, TOOLS.md, MEMORY.md, or memory file changes before allowing them. Stop or release the daemon when URUC work is finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (11)

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The `exec <type>` command exposes an unrestricted remote command-execution surface by forwarding arbitrary command types and attacker-controlled payloads to the daemon. In the context of a skill whose description emphasizes bootstrap, inspection, and synchronization, this materially expands capability into general remote action execution and could be abused to invoke sensitive or destructive URUC operations discovered at runtime.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The `claim` and `release` handlers implement explicit control-takeover functionality (`claim_control` / `release_control`) over the current agent session. Even if intended for legitimate orchestration, this creates a direct privilege/action surface that can seize operational control, making misuse impactful in a multi-client or shared-session environment.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The activation condition 'when a message clearly belongs to URUC' is subjective and under-specified, which can cause the agent to misclassify ordinary user messages as privileged URUC work. In this skill, misrouting is more dangerous because URUC tasks trigger state inspection, command discovery, and possible control actions against a live daemon/runtime, so an attacker could craft prompts that induce unintended operational behavior.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill repeatedly instructs the agent to update the active OpenClaw workspace files directly, including AGENTS.md, TOOLS.md, and memory documents, without requiring user confirmation, scoping, or change review. This creates a prompt-to-persistence path where transient or attacker-influenced content can be written into trusted bootstrap files that affect future runs, making the context especially dangerous because these files are injected into subsequent agent sessions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill explicitly instructs the agent to update workspace documentation files as a required action, but it does not require prior user consent or a clear warning that these edits are persistent local file modifications. In an agent setting, this can cause silent tampering with workspace state, create durable prompt-injection footholds in AGENTS.md/TOOLS.md/MEMORY.md, and alter future agent behavior beyond the current task.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
This section broadens the requirement into a standing obligation to immediately update multiple injected workspace files whenever the skill 'learns' stable URUC facts, again without user-facing disclosure or consent. Because these files are automatically injected into future turns and subagents, this creates a persistence and privilege-escalation channel where untrusted runtime content can be converted into long-lived instructions that influence subsequent agent decisions.

Vague Triggers

Medium
Confidence
93% confidence
Finding
Enabling implicit invocation without narrowly defined trigger conditions allows the skill to activate in response to loosely related context, which can unexpectedly grant it priority over normal user-directed workflows. In this skill, that risk is amplified because activation leads to bootstrapping a local daemon, prioritizing URUC-originated messages, and updating workspace guidance files, creating a path for unintended control flow and trust-boundary crossing.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The default prompt uses broad routing language such as treating any 'URUC-originated' or '[URUC_EVENT]' message as priority work first, without defining authentication, provenance checks, or safe exclusions. That makes it easier for crafted input to masquerade as a trusted control signal and cause the agent to reprioritize tasks, inspect session state, discover commands, or modify AGENTS.md, TOOLS.md, and memory documents based on untrusted content.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code persists the authentication credential (`auth`) into `config.json` via `buildBootstrapConfig()` and `writeConfig()` with no encryption, redaction, or expiry. Although the file is written with mode `0o600`, storing long-lived secrets on disk increases exposure through local compromise, backups, logs, or accidental reuse by other tooling.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The gateway connect payload includes process.env.PATH together with authentication material such as token, password, deviceToken, and device-backed signatures, and sends them over a WebSocket endpoint that may be configured externally. PATH can reveal sensitive filesystem layout and execution context, and combining that with credentials increases unnecessary data exposure to the remote service or any party able to intercept or log gateway traffic.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code persists an issued device token to a predictable local file under the OpenClaw state directory. Although it attempts to use mode 0600, storing reusable credentials on disk still increases the blast radius of local compromise, backup leakage, container image capture, or accidental workspace/state sharing.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal