Openclaw Quickstart Cn

Security checks across malware telemetry and agentic risk

Overview

This is a small Chinese OpenClaw setup guide with expected installation and API-key configuration steps, but users should handle the installer and keys carefully.

Before installing, confirm the OpenClaw installer or npm package is official and consider reviewing the installer rather than blindly piping it to a shell. Use dedicated API keys with spending limits, avoid exposing them in screenshots or shared terminals, and rotate any key that may have been leaked.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The guide instructs users to execute a remote installation script via a curl-to-bash pipeline without any integrity verification, code review step, or warning. This is dangerous because any compromise of the remote host, DNS/TLS interception, or malicious change to the installer would result in immediate arbitrary code execution on the user's machine.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The document tells users to place API keys directly into CLI configuration but does not explain where the credentials are stored, whether they are encrypted, or how to avoid exposing them in shell history and local config files. In a beginner-focused setup guide, this omission increases the chance of credential leakage through plaintext config, shared machines, backups, screenshots, or terminal history.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal