openclaw-security-watchdog

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed local security-audit skill with optional cloud reporting, and the sensitive behavior generally matches that purpose.

Install only if you want an OpenClaw/system security audit that can inspect local logs, process metadata, workspace files, and installed Skill inventory. Prefer local mode for privacy-sensitive environments. Use --push only when you accept sending device identifiers, persistent agent_id, Skill inventory, and audit summaries to the disclosed Changeway service, and do not put --push in scheduled cron jobs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (9)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 87% confidence
Finding: The skill invokes shell commands and relies on environment access, yet does not declare corresponding permissions. This weakens transparency and policy enforcement because users and the platform may not fully understand the skill's effective capabilities before execution.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The declared behavior understates several sensitive actions: scanning workspace file contents, reading command/log history, inspecting process environments, and writing baseline files in paths not fully disclosed. This is dangerous because users may consent to a 'local audit' without realizing the skill performs deeper content inspection and process-level data access that can expose secrets and sensitive operational data.

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: The skill says cron jobs must never use --push, but later describes a path where cron configuration can indirectly include --push via message parameters and periodically report data. This inconsistency is dangerous because it can normalize or enable recurring exfiltration of device identifiers and audit summaries despite earlier privacy assurances.

Scope Creep

Medium

Confidence: 98% confidence
Finding: The code claims to perform Windows ACL checks via `checkWindowsFilePermission()`, but `runSafeCommand()` has no `icacls` case, so the helper silently returns `UNKNOWN` for all Windows files. Because only `PERMISSIVE` flips `permOk` to false, the script can report Windows permissions as acceptable or non-actionable when the check never actually ran, creating a blind spot in a security audit tool.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The trigger phrases include broad terms such as '检查安全' and '系统安全', which may match ordinary conversation and activate a powerful audit skill unintentionally. Because the skill can read sensitive files, logs, processes, and optionally transmit summaries, accidental activation materially increases privacy and operational risk.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: When `--push` is enabled, the script transmits host-identifying metadata including MAC address, hostname, timestamp-derived request context, and a persistent `agent_id`, but it gives no active just-in-time disclosure or confirmation at the moment of transmission. For a security audit tool, silently exporting device identity can surprise users and create privacy, tracking, and asset-correlation risk across repeated runs.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The threat-intel assessment request uploads the installed skill inventory (`slug`, `author`, `version`, `ownerId`) without an in-band user-facing disclosure immediately before sending. Installed component inventory can reveal internal tooling, security products, workflows, or proprietary environment details, making it sensitive reconnaissance data if transmitted without explicit user awareness.

Sudo/Root Execution

Medium

Category: Privilege Escalation
Content: 运行依赖：必需：Node.js v18+、openclaw CLI（用于定时任务管理）脚本调用的系统命令（缺失时对应检查项会 SKIP，不影响其他项）： macOS：find、lsof、netstat、ps、last、lastb、grep、awk、cat、sudo Linux：find、ss、lsof、ps、journalctl、last、lastb、grep、awk、cat、sudo Windows：wmic、netstat、tasklist、findstr
Confidence: 78% confidence
Finding: sudo

Sudo/Root Execution

Medium

Category: Privilege Escalation
Content: 必需：Node.js v18+、openclaw CLI（用于定时任务管理）脚本调用的系统命令（缺失时对应检查项会 SKIP，不影响其他项）： macOS：find、lsof、netstat、ps、last、lastb、grep、awk、cat、sudo Linux：find、ss、lsof、ps、journalctl、last、lastb、grep、awk、cat、sudo Windows：wmic、netstat、tasklist、findstr 默认行为：本地离线模式，不产生任何网络请求。
Confidence: 78% confidence
Finding: sudo

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal