Back to skill

Security audit

Aliyun Openclaw

Security checks across malware telemetry and agentic risk

Overview

This appears to be a private OpenClaw deployment guide that exposes real-looking passwords, API keys, app secrets, and gateway tokens for a specific server.

Only use this if you own the referenced server and accounts. Treat every embedded credential as exposed: rotate the root password, gateway token, API keys, and Feishu secret; replace them with placeholders or secret-manager references; use SSH keys and least-privilege accounts; restrict gateway binding and allowed origins; and review any commands that upload skills, restart services, or delete pairing state before running them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (10)

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill embeds highly sensitive operational secrets in plaintext, including a root SSH password, gateway token, and a live model API key, which are not necessary to publish inside a reusable skill document. Anyone who can read the skill can gain privileged remote access and consume external AI services, making this far more dangerous than ordinary configuration guidance.

Context-Inappropriate Capability

Medium
Confidence
81% confidence
Finding
The skill expands scope by directing installation of Browser Relay and MCP-related tooling on the remote host, increasing attack surface beyond basic OpenClaw deployment. Because these additions expose new networked components and trust boundaries, they can introduce unnecessary remote-access and plugin risks in an already privileged environment.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The document explicitly cautions that secrets should not be shared while simultaneously disclosing the SSH password and gateway token in plaintext. This contradiction normalizes unsafe handling of credentials and directly enables unauthorized access to the remote server and gateway.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The skill states that sensitive API keys must not be shared, yet exposes an apparently live API key directly in the file. This creates immediate risk of account abuse, unauthorized model usage, billing loss, and possible access to associated service data.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill presents plaintext credentials and tokens as ready-to-use operational steps without strong upfront warnings or safer alternatives. In practice this encourages direct reuse of embedded secrets and lowers the barrier to accidental leakage, credential theft, and unauthorized administration.

Missing User Warnings

Medium
Confidence
77% confidence
Finding
The document includes destructive commands to remove containers and delete pairing state, with only limited nearby caution. In a skill intended to be followed operationally, such commands can cause service interruption, configuration loss, and accidental denial of service if run in the wrong context.

Missing User Warnings

High
Confidence
99% confidence
Finding
The document exposes live-looking plaintext secrets, including a root SSH username/password, public IP, and a gateway token, and directly instructs operators to use them. This enables immediate unauthorized server access, privilege abuse, lateral movement, and browser/session takeover if the document is shared, indexed, logged, or copied into tickets/chat.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The guide instructs use of pkill and service restarts against browser-relay/openclaw components without any warning, confirmation step, or scope limitation. An operator following these steps can terminate active sessions, disrupt in-progress workloads, and cause avoidable denial of service on a shared system.

Natural-Language Policy Violations

High
Confidence
99% confidence
Finding
The file contains live-looking secrets in plaintext, including a Tavily API key, a provider API key, and a fixed gateway authentication token. Hard-coded credentials in a distributable skill/config create immediate risk of unauthorized API use, account abuse, cost exposure, and compromise of any gateway protected only by the embedded token; the lack of user choice or secret injection makes the issue more dangerous in this context.

Natural-Language Policy Violations

Medium
Confidence
96% confidence
Finding
The control UI allows all origins via allowedOrigins: ["*"], which disables origin-based restrictions for browser access to the gateway UI. In combination with a LAN bind and token-based gateway, this broadens the attack surface and can enable malicious web pages to interact with the control interface from a victim's browser, increasing the likelihood of cross-origin abuse or token misuse.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
SKILL.md:45