Back to skill

Security audit

Post-Upgrade Auto Repair

Security checks across malware telemetry and agentic risk

Overview

This repair skill broadly matches its stated purpose, but it installs silent startup automation, changes OpenClaw configuration without backup or confirmation, and sends diagnostics or user prompts to a remote AI provider using stored credentials.

Review before installing. Back up ~/.openclaw/openclaw.json and any existing ~/.openclaw/workspace/BOOT.md, and only use this if you are comfortable with silent startup checks, automatic config edits, and remote AI requests using your configured provider key. A safer version would ask before changing files or sending diagnostics, preserve backups, redact sensitive output, and provide a local-only dry run.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script goes beyond local diagnostics and automatically forwards a generated problem report to a secondary AI-driven repair workflow. That report includes status output, version data, and a local config path, and the downstream agent may generate or trigger powerful actions outside the narrow scope of a health check. In a security-sensitive agent ecosystem, handing arbitrary troubleshooting context to an external AI component without explicit consent or strict confinement materially increases data exposure and behavioral risk.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The installer persistently rewrites BOOT.md and enables a startup hook, changing how the workspace behaves on every future launch rather than just installing a repair tool. In this skill's context, that is security-relevant because it creates an automatic execution path for check.mjs on startup, increasing the blast radius if the skill is buggy, compromised, or later modified.

Intent-Code Divergence

Low
Confidence
81% confidence
Finding
The header presents the script as a simple one-click installer, but the code also changes persistent boot configuration and seeds version-tracking state. This mismatch reduces informed consent and can mislead users about the scope of system changes being made.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The implementation does not perform any health check or auto-repair logic described in the manifest; instead it accepts arbitrary user input and forwards it to the configured external model endpoint using the user's existing API credentials. This creates a deceptive capability mismatch that can trick users into running a general-purpose prompt exfiltration/relay tool under the guise of maintenance, which is especially dangerous because the skill description explicitly claims system diagnosis and repair.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script exposes a broad external LLM invocation path that can send any supplied task to a remote endpoint, far beyond the stated scope of repairing OpenClaw issues. In the context of an agent skill, this effectively provides an undeclared arbitrary outbound AI-call primitive that could be abused for data disclosure, prompt laundering, or hidden secondary task execution.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The skill description advertises automatic health checks and repairs after upgrades/restarts, but it does not define clear trigger conditions, scope limits, or approval boundaries. In an agent ecosystem, broad auto-activation can cause the skill to run in unexpected contexts and make changes to user configuration or connected services without explicit user intent, increasing the risk of unsafe autonomous behavior.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly states it will automatically repair known problems, yet the description does not warn that it may modify system configuration, connectivity settings, or runtime behavior. This is dangerous because users may install or restart the environment without realizing the skill can alter files or operational settings, making unintended or harmful changes harder to detect and recover from.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script silently rewrites the user's persistent OpenClaw configuration file as part of a check operation, without prompting, backup, or dry-run review. Even if intended as a convenience migration, automatic modification of security-relevant config can break service behavior, destroy forensic state, or mask unintended changes. A health-check context makes this more dangerous because users are less likely to expect write operations from a diagnostic tool.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script packages diagnostic data derived from status and configuration context and sends it to a secondary repair script/AI workflow without a clear privacy notice or consent gate. Diagnostic output can contain operational metadata, channel state, error details, and filesystem paths that may be sensitive in aggregate. In the context of an agent skill that explicitly contacts AI for unknown issues, this creates a real confidentiality risk rather than a purely theoretical concern.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script overwrites BOOT.md and enables the boot-md hook without prompting the user or checking for an existing configuration that may be unrelated. That can silently disrupt prior workspace behavior and establishes persistent automatic execution, which is especially risky in an installer for a skill that can later run repair logic and contact AI for unknown issues.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code silently reads API credentials from the user's ~/.openclaw/openclaw.json file to authenticate outbound requests, without prominently informing the user that existing secrets will be used. Even if the key is only placed in a header and not printed, undisclosed secret consumption is risky in a third-party skill because users may not expect their configured credentials to be accessed at all.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script transmits user-supplied task content to a remote provider endpoint and authenticates with the user's API key, but provides no explicit warning that the request will leave the local environment. In a tool advertised as local health-check/repair automation, this omission increases the chance that users unknowingly send sensitive operational details or secrets to an external service.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal