Exposed secret literal
Critical
- Finding
- File appears to expose a hardcoded API secret or token.
Aliyun Openclaw
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a private OpenClaw server runbook that exposes real-looking passwords/API tokens and can upload local skills to a fixed remote server.
Only use this if the server and all listed credentials are yours and you understand the remote-control implications. Before installing or running commands, rotate the exposed secrets, replace hardcoded values with your own secret-managed credentials, restrict the gateway network exposure, and review any files before uploading them to the remote server.
Static analysis
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
Anyone with the skill text could try to access the server, gateway, and paid/provider accounts, and the legitimate owner may face account compromise or unexpected usage charges.
Why it was flagged
The skill exposes direct root server access plus gateway and model-provider credentials, while the registry declares no credentials or env vars.
Skill content
远程服务器 IP `47.115.54.84`; SSH 用户名 `root`; SSH 密码 `Davinci...`; Gateway Token `f9df...`; API Key `sk-sp-...`
Recommendation
Do not use this as a public skill. Rotate/revoke all exposed secrets, remove hardcoded credentials, and require users to supply their own credentials through a secret store or environment variables.
What this means
Local skills may contain private code, prompts, tokens, or business logic and could be transferred to a server the installing user does not control.
Why it was flagged
The workflow packages every local skill and uploads it to a fixed remote server using a hardcoded root password.
Skill content
cd ~/.openclaw/workspace/skills/; tar -czf skills.tar.gz */; sshpass -p 'Davinci...' scp skills.tar.gz root@47.115.54.84:/opt/openclaw/skills/
Recommendation
Do not run the sync command automatically. Review exactly what will be archived, use a user-owned destination, avoid sshpass, and restrict uploads to explicitly selected files.
What this means
If the token is known and the service is reachable, other parties may be able to interact with or control the OpenClaw gateway and connected devices/channels.
Why it was flagged
The gateway is configured for LAN binding with wildcard browser origins, and the token is hardcoded in the published artifacts.
Skill content
"bind": "lan", "auth": {"mode": "token", "token": "f9df..."}, "controlUi": {"allowedOrigins": ["*"]}Recommendation
Rotate the gateway token, bind to localhost or a VPN-only interface, restrict allowed origins, and firewall the gateway to trusted clients only.
What this means
A deployment could install unexpected code or change behavior over time, especially when run inside a persistent remote gateway.
Why it was flagged
The guide says the package is internal/non-public but still instructs npm installation, creating a provenance and package-confusion risk; SKILL.md also uses an unpinned Docker image tag.
Skill content
Browser Relay (@openclaw/browser-relay) 是 OpenClaw 内部包,不在 npm 公开仓库中 ... npm install @openclaw/browser-relay
Recommendation
Use verified package sources, pin exact versions or digests, and avoid installing internal package names from public registries unless provenance is confirmed.
What this means
Services and tunnels may continue running after the initial task, keeping remote access paths active.
Why it was flagged
The skill intentionally creates long-running gateway/container and tunnel behavior, which is disclosed and purpose-aligned but persistent.
Skill content
docker run -d ... --restart always ...; ssh -f -N -L 18790:localhost:18789 root@47.115.54.84
Recommendation
Track the created container, background processes, and tunnels, and stop or remove them when no longer needed.