Security audit

Openclaw Production Deploy

Security checks across malware telemetry and agentic risk

Overview

This looks like a production deployment helper rather than malware, but it makes persistent privileged system changes and has unsafe, under-scoped deployment behavior that should be reviewed before use.

Do not run this directly on a production machine without review. Verify and fix the service entrypoint, use pinned OpenClaw/npm/Git versions, avoid persistent npm registry changes, keep authentication enabled with a strong token, and test the deployment in an isolated environment first.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (5)

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: The generated Linux systemd unit is labeled as an OpenClaw gateway service, but its ExecStart runs the deployment script itself via Node rather than the OpenClaw service binary. That means enabling the service at boot can repeatedly execute installer/deployment logic with elevated privileges, causing unintended code execution, persistence of setup actions, and a much larger attack surface than a normal runtime service.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill explicitly instructs users to run deployment, service-registration, autostart, backup restore, and configuration overwrite actions that can modify the host system, but it does not warn about privilege requirements, persistence changes, service disruption, or the risk of overwriting existing configuration and data. In a deployment skill, these operations are contextually expected, but the lack of safety prompts, confirmation steps, and rollback guidance increases the chance of accidental harmful execution on production systems.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The document includes commands to disable authentication or reset tokens during troubleshooting, and the warning is weak and easy to miss in a production setup guide. In practice, operators may copy-paste the commands and leave auth disabled or replace secrets with predictable values, exposing the service to unauthorized access.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The script writes and deletes test files in the current directory, temp directory, and the user's home config directory as part of its checks, but it does so automatically without clear upfront disclosure or consent. Even though the behavior appears intended for environment validation rather than harm, unexpected filesystem modification can be risky in sensitive directories, read-only mounts, synced folders, or automation contexts.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script performs outbound DNS/network reachability checks to third-party hosts such as github.com, registry.npmjs.org, and 8.8.8.8 without prominently warning the user first. In restricted, privacy-sensitive, or monitored environments, these unsolicited external lookups can leak operational metadata, trigger alerts, or violate network usage policies.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal