ClawHub

Yang Openclaw Health

Security checks across malware telemetry and agentic risk

Overview

This is a local OpenClaw troubleshooting helper that checks system state and API-key presence without showing or sending secret values.

Install only if you want a local OpenClaw diagnostic tool. Running it will inspect your OpenClaw config path, process/port state, and whether certain model-provider API-key environment variables are set, but the reviewed code does not expose the key values or send data over the network.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The script performs an extra diagnostic check for the presence of OPENAI_API_KEY, ANTHROPIC_API_KEY, or DEEPSEEK_API_KEY even though the stated purpose is OpenClaw installation health checks. While it only tests existence and does not print values, inspecting credential-related environment variables expands the script's access to sensitive state without a clear need, which creates unnecessary privacy and trust risk.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Reading environment variables associated with third-party API credentials is sensitive behavior because these variables often hold secrets used outside the application's own boundary. In this script, the access is broader than justified by the declared troubleshooting scope, so a seemingly harmless diagnostic tool normalizes secret inspection and could be repurposed or extended to expose credentials later.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The script inspects sensitive API-key environment variables without explicitly telling the user that credential-related state will be examined. Even though it does not echo the secret values, undisclosed inspection of secrets reduces transparency and can violate the principle of least surprise for a diagnostic utility.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal