OpenClaw 安装服务

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward OpenClaw setup guide, but users should be careful with messaging credentials, remote support, payment, and the persistent heartbeat service.

Before installing, verify the OpenClaw package and support provider, do not share passwords, QR sessions, app secrets, webhooks, screenshots, or logs with untrusted parties, review HEARTBEAT.md before starting the heartbeat service, and confirm the payment address and service legitimacy before sending funds.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill advertises remote support, paid setup, and configuration of messaging channels that typically require account access, QR login, app secrets, or webhooks, but it provides no privacy, consent, credential-handling, or data-protection guidance. In an agent skill context, this can normalize unsafe sharing of secrets or remote control access and increase the chance of credential theft, account takeover, or unauthorized data exposure.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal