ClawHub

OpenClaw Config Reference

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only OpenClaw configuration reference; it describes risky settings but does not run code or secretly change anything.

Safe to install as a reference skill. Before copying examples into a real deployment, back up openclaw.json, keep tokens in protected environment files, avoid insecure auth outside localhost, do not expose the gateway publicly without strong authentication, and prefer deny or ask modes for code execution and elevated access.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The manifest description contains very broad trigger language such as 'Use when asked about config, configuration, gateway settings, channel setup, agent config, session management, sandbox, cron jobs, hooks, tools, browser, models, environment variables, or when troubleshooting broken config and gateway startup failures.' This can cause the skill to activate for a wide range of ordinary user requests, increasing the chance that untrusted instructional content is injected into unrelated conversations and influences sensitive configuration or operational actions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The example sets `controlUi.allowInsecureAuth: true` and presents access over plain HTTP without a prominent warning that credentials or session tokens may be exposed in transit. In a configuration reference skill, users may copy this verbatim, making the gateway management UI susceptible to credential theft on untrusted networks or through local network interception.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Documenting `--tailscale funnel` as a simple exposure option without a strong warning normalizes publishing the gateway to the public internet. Because this skill is a configuration reference for gateway setup, omission of guidance on mandatory authentication, least-privilege exposure, and UI/API hardening increases the risk that operators will unintentionally expose administrative or API surfaces.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The hooks documentation explicitly encourages injecting full webhook bodies and even selected headers into agent prompts via template variables like {body} and {headers.X-Custom}, but it does not warn that these values may contain secrets, PII, tokens, or attacker-controlled content. In a system that forwards webhook payloads to an agent, this can cause unintended disclosure, prompt injection, or unsafe downstream handling of sensitive external data.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The cron delivery section documents a webhook mode that HTTP POSTs job results to a URL, but it does not warn that job output may contain sensitive model responses, internal state, or user data. Users could configure exfiltration of confidential output to third-party endpoints without understanding the privacy implications.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The recovery snippet replaces the user's primary configuration file with a minimal template using shell redirection, which will overwrite any existing contents at that path. In a troubleshooting skill, users may copy-paste this during an outage, so the lack of an explicit warning about destructive replacement can cause accidental loss of security settings, agent definitions, or auth configuration and leave the gateway misconfigured.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal