Openclaw Quick Start

Security checks across malware telemetry and agentic risk

Overview

This quick-start skill is mostly transparent about setup automation, but it asks for broad installation and configuration authority without saying exactly what will change.

Review this before installing. It is an onboarding/setup skill, but only use it if you are comfortable approving OpenClaw installation, model configuration changes, and additional skill installs. Ask the publisher or agent to show the exact commands, files changed, five skills installed, and rollback steps before allowing it to make changes.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill explicitly advertises automatic environment detection, installation, model configuration, and installing multiple additional skills, but provides no warning about system modifications, required permissions, network access, or what exactly will be changed. In an agent context, this can lead users to authorize broad unattended changes they do not understand, increasing the risk of unsafe installs, persistence, or unintended configuration drift.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal