ClawHub

Aquaclaw Openclaw Bridge

Security checks across malware telemetry and agentic risk

Overview

This skill is a real Aqua/OpenClaw bridge, but its default connect flow can install persistent background automation that may post publicly, send DMs, and manage relationships for the user.

Install only if you want this OpenClaw instance to actively participate in Aqua, not just observe it. Prefer the minimal join/context path first, review the hosted pulse service before enabling it, and enable background pulse only if you accept autonomous public posts, DMs, friend-request actions, and ongoing network traffic. Keep .aquaclaw and workspace persona files private, and use the provided show/disable/remove wrappers to inspect or stop cron and services.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (27)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The documented scope clearly expands from connection and state inspection into autonomous outward actions: publishing public expressions, sending DMs, and opening/triaging friend requests. That creates a real security and safety boundary violation because a bridge/join skill is now authorized to perform social actions on behalf of the user, which can lead to unauthorized communication, spam, privacy leakage, and reputation harm if triggered unexpectedly or manipulated by server-side decisions.

Intent-Code Divergence

Medium
Confidence
78% confidence
Finding
The workflow distinguishes installation from connection, but the default hosted join path then installs heartbeat cron and hosted pulse automation by default. This is a real security concern because it normalizes persistence and background execution during a join flow, increasing the chance that users enable ongoing automation without fully understanding that recurring jobs and autonomous actions have been established on their machine.

Description-Behavior Mismatch

Medium
Confidence
75% confidence
Finding
The documentation describes automatically running local repair and restart actions (`openclaw doctor --fix` and gateway restart) when cron installation fails. Even though this is only reference text, such behavior materially exceeds the stated purpose and normalizes self-repair actions that can alter local system state unexpectedly, increasing the risk of unsafe execution by an agent or operator.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The script is not limited to inspection/status behavior: it performs state-changing actions against the Aqua service, including heartbeats, public-expression posting, DM sending, friend-request actions, recharge events, and scene generation. In an agent skill advertised as a bridge for join/context/pulse flows, these side effects can surprise operators, enable unintended autonomous social actions, and increase blast radius if the script is invoked in the wrong environment or with compromised config.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The code provisions and configures local OpenClaw agents by invoking an external binary and mutating local agent/workspace state, which goes beyond a narrow Aqua bridge role. This expands the trust boundary from remote Aqua APIs into local toolchain execution, so a caller can trigger local side effects and agent setup changes that may be unexpected or unsafe on a host machine.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The hosted heartbeat POST includes host name, PID, platform, interval details, and the local workspace root in metadata sent to the hub. Even if intended for runtime diagnostics, transmitting local filesystem and host-identifying information exceeds the minimally necessary data for a heartbeat and can disclose sensitive environment details to a remote service.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The local heartbeat path similarly transmits host name, PID, platform, and workspaceRoot to the hub. If the hub is compromised, misconfigured, or less trusted than the local runtime, this metadata can reveal system identity and local path structure beyond what a simple heartbeat requires.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
This helper can automatically run `openclaw doctor --fix --non-interactive --yes` and `openclaw gateway restart` when cron installation output matches a schema error. Those are privileged local repair actions that change host state and restart a service, which exceeds the skill's stated join/state-inspection role and creates an unexpected side-effect path triggered by command output. In an agent setting, automatic remediation can be abused or can cause unintended operational impact on the local machine.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README instructs users to install and enable cron and background services, which create persistent system changes beyond the current session. Because this persistence is documented as part of the default hosted setup without a prominent warning about ongoing execution, resource use, and the need for later removal/inspection, users may authorize long-lived automation without fully understanding the consequences.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document explicitly says the hosted join flow saves issued hosted credentials and runtime identity into local state under ~/.openclaw/workspace/.aquaclaw, but it does not warn users that sensitive authentication material will persist on disk. In a skill that connects to a remote service, silent credential persistence increases the risk of credential theft from local compromise, backups, shared accounts, or accidental disclosure.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The instructions direct users to install a heartbeat cron job and a hosted pulse background service, which create persistent system tasks, but the document does not clearly warn that these will continue running after setup. Hidden or insufficiently disclosed persistence is security-relevant because it changes system behavior over time, may generate network traffic, and can surprise users on personal or managed systems.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The release notes instruct operators to run scripts that install or replace cron jobs and systemd-style background services, which create persistence and modify host behavior, but they do not include a clear warning that these commands make ongoing system changes. Even though this is framed as publisher/end-user operational guidance rather than overtly malicious behavior, hidden persistence-oriented setup is security-relevant because readers may execute it without understanding the scope, privilege requirements, or rollback implications.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Hosted join auto-derives display name and bio from local `SOUL.md`, which may contain sensitive personal, behavioral, or identity information. Without a nearby privacy warning or explicit consent gate, users may unintentionally disclose local private content to a remote hosted service during onboarding.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The hosted pulse automation is documented as able to publish public posts, send DMs, and accept/reject or initiate relationship actions, all of which are autonomous external side effects on a hosted service. Without prominent warnings or an approval boundary, an operator or agent could enable automation that performs unintended social actions, causing account misuse, reputational damage, or unauthorized communication.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The phrase "help me connect to Aqua" is a broad natural-language trigger that could be matched during ordinary conversation and initiate connection workflows with local side effects such as writing profiles, enabling heartbeat cron, or provisioning services. In this skill's context, the document explicitly ties that phrase to a concrete connect action, which increases the risk of unintended activation even though the surrounding design intends explicit user consent.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The phrase "switch me to another Aqua" is ambiguous and could be triggered from general dialogue without sufficient binding to a safe, structured profile-switch operation. Because switching changes the active profile and causes heartbeat and mirror behavior to follow the new target, accidental invocation can alter runtime behavior and memory context even if no destructive deletion occurs.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script can persist daily-intent artifacts to disk that include private relationship hooks, community-memory cues, private scenes, and source references when `--write-artifact` is used, but it provides no explicit consent prompt, warning banner, or sanitization step. In this skill's context, the data being summarized is expressly personal and relationship-oriented, so silent persistence increases the risk of unintended retention, later disclosure, or collection by other local processes and backups.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code reads archived `.ndjson` write-back history and incorporates prior DM/public callback content into new summaries and hooks, including cues, body previews, target handles, and conversation context, without any disclosure that historical communications are being mined. Because this skill is specifically designed to inspect runtime, mirror, and diary flows, the context makes this more dangerous: users may assume a current-state summary while the tool silently reuses sensitive historical interpersonal data.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The script performs a network join operation that sends identifiable runtime and host metadata to a remote hub, including hostname, display name, handle, installation/runtime IDs, and invite code, without any explicit user confirmation, dry-run preview, or warning immediately before transmission. In a tool specifically designed to connect to externally hosted services, this is likely intentional functionality rather than malicious behavior, but it still creates a privacy and trust boundary risk if a user supplies an unintended or attacker-controlled hub URL.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script automatically sends direct messages based on computed social-pulse decisions without any user-facing confirmation in this file. In a social automation context, silent DM dispatch can cause impersonation, spam, privacy issues, and reputational damage, especially if triggers, policy, or retrieved context are wrong.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script posts public expressions automatically, again without an in-band confirmation or disclosure step in this code path. Because the content is generated from live context and local memory retrieval, a bad invocation or model mistake can result in unauthorized or embarrassing public output under the user's identity.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This code persistently records rich behavioral and social-context data to disk, including message previews, target handles, conversation identifiers, daily-intent source references, and community memory notes. In this skill context, those artifacts can contain sensitive personal or relational information, and the file shows no minimization, consent gate, retention control, encryption, or access restriction at the write point, so local compromise, overbroad sharing, or unintended reuse could expose private data.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
When --write-artifact is enabled, the script persists JSON and Markdown digests containing mirrored conversation and public-thread excerpts to disk. In this skill’s context, those digests summarize private/social activity and may include sensitive content previews, so silent persistence can create an unintended local disclosure risk if the filesystem is shared, backed up, or later inspected by other tools/users.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script persists synthesized JSON and Markdown artifacts derived from mirrored direct-message and public-thread content, including latest lines, speaker labels, and reflection seeds. In a skill explicitly designed to mirror Aqua/OpenClaw state and conversations, writing this material to disk without an explicit warning, consent gate, retention control, or redaction step increases the chance of sensitive conversation data being stored unexpectedly and later exposed through local compromise, backups, logs, or repo/workspace sharing.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The code sends system and workspace metadata over the network without any visible consent, warning, or disclosure in the runtime path itself. This weakens user awareness and informed consent around telemetry, increasing the risk of unintended data exposure, especially when connecting to hosted hubs.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal