Back to skill

Security audit

WoL Wakeup

Security checks across malware telemetry and agentic risk

Overview

This Wake-on-LAN skill mostly does what it says, but it also installs a persistent message hook that can inspect all inbound OpenClaw messages and uses weak token practices.

Review before installing. Generate a unique hook token, avoid the hardcoded examples, prefer environment-based token passing, restrict permissions on OpenClaw config and WoL state files, and only enable the persistent hook service if you accept that it can inspect and locally log inbound OpenClaw messages.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (28)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
print("\n🧪 运行测试...")
    test_script = script_dir / 'test_wol.py'
    if test_script.exists():
        subprocess.run(['python3', str(test_script)], cwd=str(script_dir))
    
    print("\n✅ 技能已就绪!")
    return 0
Confidence
74% confidence
Finding
subprocess.run(['python3', str(test_script)], cwd=str(script_dir))

subprocess module call

Medium
Category
Dangerous Code Execution
Content
except ImportError:
        print("⚠️  正在安装 wakeonlan 库...")
        try:
            subprocess.run([sys.executable, '-m', 'pip', 'install', 'wakeonlan'], check=True)
            print("✅ wakeonlan 库安装成功")
        except Exception as e:
            print(f"❌ 安装 wakeonlan 失败:{e}")
Confidence
79% confidence
Finding
subprocess.run([sys.executable, '-m', 'pip', 'install', 'wakeonlan'], check=True)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The guide documents an internal hook service that intercepts inbound chat messages and explicitly extends the skill beyond WoL into a reusable workflow router. This materially increases the skill’s scope and trust boundary: instead of a narrow LAN wake feature, it becomes a general message-processing integration point that could be repurposed to collect, transform, or suppress arbitrary user messages.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The documentation encourages reuse of the workflow engine for unrelated domains such as surveys, orders, reservations, and data collection. In a skill presented as a WoL utility, this is dangerous because it normalizes expansion into a generic conversational data-processing platform without corresponding review, permissions, or user expectations.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The integration plan explicitly broadens a Wake-on-LAN skill into a general inbound-message interception component for OpenClaw/WeChat, which exceeds the declared skill purpose and creates a larger trust boundary than users would reasonably expect. Even without malicious code, this kind of scope expansion can enable unauthorized message access, response orchestration, and future feature creep into broader message handling.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The plan introduces a locally exposed HTTP webhook and proposes direct integration into the platform's message-processing path, which grants the skill influence over inbound message flow beyond what a WoL automation feature requires. This increases attack surface and creates opportunities for message interception, spoofed requests, or unintended control over chatbot behavior if authentication, validation, or routing assumptions fail.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The report explicitly broadens the skill from simple WoL automation into a generic workflow engine that can support arbitrary multi-turn data collection and integrations. That scope expansion is security-relevant because operators may install a WoL skill while unknowingly enabling a reusable message-processing platform with broader capabilities than declared in the manifest.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
This section documents an OpenClaw hook service and gateway integration path that intercepts messages and decides whether to handle or forward them, which is materially broader than a WoL-only utility. Hidden integration and routing behavior increases risk because it changes how user messages are processed and introduces a new local service and trust boundary not obvious from the skill description.

Intent-Code Divergence

High
Confidence
90% confidence
Finding
The skill description claims '无需大模型' while the report states that unmatched messages are forwarded to AI for handling. That mismatch is dangerous because it can mislead users and reviewers about where data flows, potentially causing sensitive or unrelated chat content to be sent to an AI backend without informed consent or appropriate policy review.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The installer persistently modifies host configuration by editing ~/.openclaw/config.json and installing/enabling a user systemd service, which goes beyond simple WoL device management. This increases attack surface and persistence on the machine, and users may not reasonably expect these side effects from the skill description alone.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code enables a persistent local hook service and configures an internal endpoint, adding a long-lived command-processing surface not obviously required by a narrow WoL skill. Persistent background services materially increase exposure because they can be abused later if the hook implementation has authentication, request-validation, or parsing flaws.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The script embeds a fixed Bearer token in source code, which creates a secret-management issue even if the target service is bound to 127.0.0.1. Hardcoded credentials are commonly leaked via source control, logs, screenshots, or package distribution, and anyone who can reach the local hook service on the host could reuse the token to make authorized requests.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
This script modifies the user's global OpenClaw hook configuration, which is outside the narrowly described WoL device-management purpose. Changing platform-wide hook settings can enable new execution/integration paths and persistently alter agent behavior, creating a broader attack surface than users would reasonably expect from a wake-on-LAN skill.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The script enables hooks and provisions a hard-coded authentication token plus local webhook endpoint, which is sensitive security configuration unrelated to basic WoL functionality. Embedding a fixed token in distributed code means anyone with the code knows the secret, and enabling hooks may allow unauthorized local integrations or abuse by other local processes if the receiving service trusts that token.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The guide includes a concrete bearer token directly in startup commands, configuration snippets, and curl examples, effectively treating a live secret as documentation text. Embedded credentials are easily copied into logs, shell history, screenshots, and repositories, enabling unauthorized requests to the hook endpoint if the token is reused or deployed as shown.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The document describes automatic interception and handling of inbound WeChat messages but provides no explicit user-facing disclosure about message inspection or privacy implications. In a messaging environment, silent interception is risky because users and administrators may not realize that all inbound content may be examined by the skill before normal agent processing.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The plan documents persistence of session state and device data in local files without warning about storage of user-related data, retention, permissions, or access controls. Persisted chat/session identifiers and device information can expose sensitive operational details or enable unauthorized wake actions if the files are read or modified by other local processes.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger phrase "帮我开机" is broad natural language that can plausibly appear in ordinary conversation, increasing the chance that the skill activates unintentionally. In this skill's context, unintended activation could expose a device list or send Wake-on-LAN packets to registered hosts without a strong confirmation boundary.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The single-word command "列表" is highly generic and lacks context scoping, so unrelated user messages could accidentally invoke the skill. In practice this can leak the inventory of configured devices and train users into unsafe command patterns where accidental invocation becomes normal.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The delete operation is documented with a simple natural-language trigger and no confirmation step, safety boundary, or examples of non-matching input. That creates a realistic risk of accidental deletion of stored device entries, which can disrupt automation and cause integrity issues in the skill's local configuration.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The document instructs users to run commands that modify OpenClaw configuration, restart a gateway, and launch a background service, but does not clearly warn about persistence, service exposure, or rollback steps. In a skill context, such operational commands can materially alter host behavior and should be treated as sensitive deployment actions rather than routine usage instructions.

Missing User Warnings

High
Confidence
98% confidence
Finding
The report publishes a concrete hook token and reuses it in example configuration and startup commands. Exposing a live-looking authentication secret in documentation encourages unsafe copy-paste deployment, risks accidental reuse in production, and can enable unauthorized local hook access if the token is actually active.

Vague Triggers

Medium
Confidence
91% confidence
Finding
Broad trigger phrases like '开机' and similar everyday language can cause accidental activation during normal conversation. In this skill's context, accidental activation is more dangerous because the hook service can intercept messages and perform real actions such as listing devices or sending WoL packets without sufficiently explicit intent.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The keyword table defines fuzzy activation conditions without clear boundaries, examples of non-matches, or disambiguation logic. Because this skill sits in a hook path and may decide whether messages are passed to the AI, weak trigger design can lead to unintended interception or execution when users discuss booting devices in ordinary language.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The documented trigger phrases for listing devices include very broad natural-language terms such as "帮我开机", "开机", and "列表", which can plausibly appear in normal conversation. In a message-driven automation context, overly broad triggers increase the chance of accidental invocation, exposing stored device names and enabling unintended wake actions if subsequent commands are similarly permissive.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal, suspicious.secret_argv_exposure

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
INTEGRATION_GUIDE.md:113

Instructions pass high-value credentials through process argv.

Critical
Code
suspicious.secret_argv_exposure
Location
INTEGRATION_GUIDE.md:245

Instructions pass high-value credentials through process argv.

Critical
Code
suspicious.secret_argv_exposure
Location
REPORT.md:210

Instructions pass high-value credentials through process argv.

Critical
Code
suspicious.secret_argv_exposure
Location
SKILL.md:177