Gateway Monitor Installer

Security checks across malware telemetry and agentic risk

Overview

This skill is a plausible OpenClaw gateway monitor installer, but it exposes sensitive local monitoring and configuration controls more broadly than users are told.

Review carefully before installing. Only use this if you trust the publisher and are comfortable running persistent macOS background services that read OpenClaw logs/session status, may use a MiniMax credential from your local auth profile, contact MiniMax, and expose unauthenticated HTTP APIs on all network interfaces. Prefer a revised version that binds only to 127.0.0.1, adds authentication, removes or protects restore-config, documents credential use, and includes the missing LaunchAgent templates.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (10)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill invokes shell scripts and performs environment-sensitive operations, but it declares no permissions or capability boundaries. That makes the skill less transparent to users and reviewers, increasing the chance that privileged file, process, or network actions occur without informed consent.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 97% confidence
Finding: The documented purpose is limited to installing and managing local monitoring services, but the detected behavior includes config restoration over an HTTP endpoint, reading local credentials or environment secrets, outbound calls to an external API, and exposing a network-accessible server. Hidden or under-disclosed network and credential-handling behavior is dangerous because it can enable unauthorized access, data exfiltration, or remote control beyond the user's expected scope.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The monitor server exposes a state-changing /api/restore-config endpoint that overwrites ~/.openclaw/openclaw.json from backups, which exceeds a read-only monitoring role and creates an unsafe remote administration capability. Because the service later binds to 0.0.0.0 and has no authentication or CSRF protection, any reachable party can trigger configuration rollback and potentially disrupt or subvert gateway behavior.

Description-Behavior Mismatch

Medium

Confidence: 87% confidence
Finding: The code reads a local auth profile to obtain a MiniMax API key and uses it to query an external service unrelated to core gateway health monitoring. This expands the trust boundary from local observability into credential harvesting and third-party communication, which is not justified by the stated installer/monitor purpose and increases privacy and data exposure risk.

Context-Inappropriate Capability

High

Confidence: 94% confidence
Finding: The skill accesses a third-party API credential from environment or local auth files and transmits it in an Authorization header to an external endpoint. In a monitoring daemon, this is dangerous because it silently repurposes sensitive credentials and creates a path for unauthorized outbound use if the service or configuration is tampered with.

Context-Inappropriate Capability

Medium

Confidence: 99% confidence
Finding: The server listens on 0.0.0.0, exposing logs, process status, launchd state, session context, and configuration-restore functionality over unauthenticated HTTP to any reachable network peer. In the context of a local installer/monitor, this is far broader than necessary and materially increases the attack surface for information disclosure and unauthorized actions.

Intent-Code Divergence

Medium

Confidence: 98% confidence
Finding: The restore endpoint performs a state-changing file overwrite via GET, despite the comment claiming it only allows GET. Using GET for mutation is unsafe because browsers, crawlers, link previews, and CSRF primitives can trigger it unintentionally, especially when the service is network-accessible and unauthenticated.

Missing User Warnings

Medium

Confidence: 85% confidence
Finding: The code silently reads local credentials and performs external API requests without any visible user disclosure, consent, or audit trail. That is a real security and privacy weakness because operators may not realize the monitor is accessing unrelated secrets and contacting third-party infrastructure.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: A destructive configuration restore is guarded only by a confirm=true query parameter and has no authentication, authorization, or durable audit logging. In combination with the network listener, this makes accidental or malicious config rollback easy and hard to investigate.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: This installer copies executable files into a hidden per-user directory, writes LaunchAgent plists, and immediately bootstraps/enables them without any interactive confirmation or explicit warning about persistence. In a skill context that advertises one-click deployment and automatic recovery, this behavior creates stealthy session persistence and increases the risk that users install always-running background services without understanding the scope of changes.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal