Openclaw Api Reference

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only OpenClaw API reference; it includes examples for sensitive API operations, but they are disclosed and not executed by the skill itself.

Install this as a reference document, not as an automation tool. Before running examples against a real OpenClaw instance, verify the server, protect API keys and JWTs, and treat delete, config update, webhook creation, user creation, and script-based skill creation endpoints as privileged operations that should require trusted users and review.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

High

Confidence: 90% confidence
Finding: The API reference explicitly documents creating a skill with a raw script field using an example shell command, but provides no warning that such content may be executed on the host. In a system that supports running created skills, this normalizes arbitrary command execution and can lead to remote code execution, persistence, or data compromise if exposed to untrusted users.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal