Openclaw Diagnostics

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed OpenClaw diagnostics skill that reads local logs and session history, with an advanced mode that can change diagnostics settings and restart the Gateway after confirmation.

Install only if you operate this OpenClaw environment and are allowed to inspect its logs and agent sessions. Prefer /diag or -s for routine checks, use -a to limit scope, avoid sharing full/raw output when sessions may contain secrets or private prompts, and run -f --advanced only when a Gateway restart and temporary debug logging are acceptable.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (12)

Description-Behavior Mismatch

High

Confidence: 92% confidence
Finding: The skill is presented as a diagnostics/analytics tool, but its documented advanced mode can modify configuration and restart the Gateway, which crosses from observation into state-changing administration. That mismatch can cause operators or upstream agents to invoke it with lower scrutiny than a restart-capable skill deserves, increasing the chance of unintended service disruption or misuse.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The advanced mode is documented as changing `openclaw.json`, enabling diagnostics/debug logging, and automatically restarting the Gateway. For a tool presented primarily as diagnostics/performance analysis, these are state-changing and potentially disruptive actions that exceed a reasonable read-only expectation and could affect system availability or logging exposure.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: Automatically restarting the Gateway introduces availability risk and may interrupt active sessions or workflows. Even if intended to enable richer diagnostics, the capability is more powerful than necessary for ordinary analysis and becomes dangerous when triggered unexpectedly or without strong user consent.

Description-Behavior Mismatch

High

Confidence: 95% confidence
Finding: In advanced mode, the diagnostic script stops being read-only: it edits the OpenClaw configuration, enables diagnostics/debug logging, and restarts the gateway. Even though it prompts first and attempts rollback, this is still a privileged state-changing operation that exceeds normal diagnostics semantics and can increase log sensitivity, service disruption risk, and the blast radius if the skill is invoked unexpectedly or by an over-privileged agent.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: Embedding gateway restart capability inside a diagnostics tool grants operational control beyond what is necessary to inspect logs or summarize performance. In practice this can be abused to cause denial of service, interrupt active sessions, or normalize risky privilege use from a skill whose description suggests passive analysis.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The script parses session files and displays detailed tool-call arguments, working directories, message text, diffs, URLs, and other execution context. Those artifacts can contain secrets, proprietary prompts, user content, filesystem paths, or internal operational data, so exposing them in a diagnostic report broadens data access beyond the stated diagnostics purpose.

Vague Triggers

Medium

Confidence: 79% confidence
Finding: The natural-language triggers are broad enough to match ordinary conversation about system health, making it easier for the skill to execute diagnostics when the user may only be asking a general question. In this skill, that matters because diagnostics read logs/session data and may expose operational details without a clearly intentional command invocation.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill does mention that advanced mode modifies `openclaw.json` and restarts the Gateway, but the warning is buried in notes rather than clearly surfaced where the mode is advertised and triggered. For a diagnostics-branded skill, inadequate disclosure of disruptive side effects raises the risk of accidental config mutation and service interruption.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The document describes modifying configuration and restarting the Gateway without an explicit user-facing warning about side effects such as service interruption, changed logging verbosity, and potential persistence of sensitive diagnostic data. This lack of disclosure increases the chance of unsafe execution in production or multi-user environments.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: Scanning session files for all agents can expose sensitive conversation content, tool outputs, and metadata beyond the user's immediate troubleshooting target. Without a privacy warning, scoping control, or consent model, the feature risks over-collection and unintended access to confidential data.

Missing User Warnings

Medium

Confidence: 80% confidence
Finding: The advanced mode flow warns about config changes and restart, but it does not clearly warn upfront that enabling diagnostics/debug logging may capture more sensitive content and increase privacy exposure. That omission can lead operators to enable verbose logging without understanding that prompts, tool arguments, paths, and other sensitive runtime data may become more widely recorded.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The skill explicitly instructs the agent to send raw diagnostic output directly to the user without filtering or summarization. Because the data sources include debug logs and session JSONL files, this can disclose sensitive contents such as prompts, tool arguments, internal errors, file paths, tokens/identifiers, or other operational details that would normally need redaction.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal