AgentGate - Enterprise Security Firewall for OpenClaw

Security checks across malware telemetry and agentic risk

Overview

This security firewall is disclosed and purpose-aligned, but it sends every agent tool call and its arguments to a hosted third-party service with limited data-handling detail.

Install only if you trust AgentGate and its npm package with full visibility into your agent’s tool calls. Review or pin the package first, protect the AGENTGATE_API_KEY, confirm audit-log retention and operator access, and avoid using it for secrets, regulated data, or sensitive business workflows unless AgentGate’s data-handling terms meet your requirements.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill explicitly states that every tool invocation is sent to a third-party endpoint along with the agent API key, tool name, and serialized arguments, but it provides no warning that those arguments may contain sensitive prompts, credentials, filesystem data, customer records, or other private content. In a security product, this omission is especially risky because users may assume local-only enforcement while actually exporting high-sensitivity execution data to an external service and audit log.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal