OpenClaw Dashboard

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed OpenClaw status dashboard that runs a local status command and can show or format status data for Feishu, with some privacy documentation that should be clearer.

Install only if you trust the local OpenClaw CLI and are comfortable sharing status summaries with the target Feishu conversation. Avoid posting `/status-card` into chats that should not see session names, token usage, node/system details, or model/runtime metadata, and treat the optional dashboard as networked because it loads third-party browser assets.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The README makes a concrete security/privacy claim that there are no external API calls, while the documented features explicitly include pushing Feishu cards to group chat. This mismatch can mislead users and reviewers about data egress, causing them to enable the skill under false assumptions about where operational metadata may be sent.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal