Security audit

OpenClaw Recovery

Security checks across malware telemetry and agentic risk

Overview

This recovery skill appears purpose-built for OpenClaw self-healing, but it grants persistent authority to restart and rewrite configuration while also making local plaintext backups of auth files without enough user control or disclosure.

Install only if you are comfortable with a background cron job that can restart OpenClaw and overwrite its active configuration during recovery. Before installing, review the scripts, restrict permissions on ~/.openclaw/backups, decide whether auth-profiles.json and auth-state.json should be backed up, and be prepared to remove the cron entries if you do not want autonomous recovery.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (7)

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: The header comments describe the script as a configuration backup utility, but the implementation also copies auth-profiles.json and auth-state.json, which are likely to contain API keys, tokens, or session state. This mismatch is dangerous because operators may run or distribute the script believing it handles only low-sensitivity config while it actually creates additional on-disk copies of secrets.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The README advertises automatic repair, rollback, restart, log cleanup, and uninstall capabilities but does not clearly warn users that these operations can modify configuration, overwrite state, or delete files. In a recovery/ops skill, those behaviors are expected, but failing to disclose their data-changing effects increases the risk of unsafe installation and accidental loss of user changes.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The installation and auto-run sections say the skill configures cron and performs monitoring/recovery every 5 minutes, but they do not prominently warn that autonomous actions will continue running after installation. Persistent scheduled execution that can restart services or change configs is security-relevant because users may not realize they have granted ongoing authority to modify the system.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The installer generates and deploys recovery logic that can rewrite the user's OpenClaw configuration, restore backups, and restart services, then schedules it to run automatically. Even if intended for self-healing, making configuration-changing behavior persistent without an explicit warning/consent step increases the risk of unexpected state changes and can undermine user control.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The backup script copies auth-related files such as auth-profiles.json and auth-state.json into a backup directory without warning the user that sensitive authentication material may be duplicated. This expands the exposure surface of secrets on disk and may leave credential-bearing files in locations with weaker retention or permission controls.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The script automatically copies backup or safe-mode files over the active configuration and restarts the service without any approval gate or integrity verification on the replacement files. If an attacker can place or modify files in the backup directory or safe config path, this recovery path can be abused to persist malicious configuration or silently alter service behavior during a failure event.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The script silently backs up authentication/profile files containing API keys and auth state into a general backup directory under the user's home directory. Creating extra plaintext copies of secrets increases the attack surface: any local compromise, permissive file permissions, sync software, or later exfiltration of backups can expose credentials.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.