claude-code-evolution

Security checks across malware telemetry and agentic risk

Overview

This skill is a security-focused OpenClaw upgrade kit, but its credential and approval scripts have unsafe defaults and can persist or print sensitive data.

Install only if you are prepared to review and modify the scripts before use. Do not run the credential migration or credential protection scripts on real secrets unless you remove the hardcoded password fallback, eliminate secret previews from config/report/console output, and ensure audit and memory logs are redacted and permission-restricted. Treat the approval and sandbox components as prototypes, not enforceable security controls.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (16)

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The tool stores secret-derived metadata back into generated artifacts via the migration map, including credential references and an original_value_preview made from portions of the plaintext secret. Even partial secret disclosure materially weakens credential confidentiality, and embedding a credential inventory in config files increases the blast radius if those files are exposed.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The script writes a migration report into a workspace memory area that includes a credential inventory and system status. For a security-hardening migration tool, generating broad metadata artifacts in a likely shared or indexed workspace creates unnecessary exposure of sensitive operational details.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The migration summary prints original secret previews to the console for operator convenience. Console output is commonly captured in shell history, CI logs, terminal recordings, or support transcripts, so exposing secret-derived substrings creates an avoidable leakage path.

Context-Inappropriate Capability

Critical

Confidence: 100% confidence
Finding: Falling back to a hardcoded master password completely undermines the confidentiality of the encrypted credential store, especially because the script also prints the password. Anyone with access to migrated data or logs could decrypt stored secrets, defeating the purpose of the migration tool.

Intent-Code Divergence

Medium

Confidence: 89% confidence
Finding: The tool identifies several fields as sensitive but intentionally leaves some unchanged in the updated configuration, despite presenting itself as a credential migration utility. This creates a false sense of protection and can leave secrets or sensitive infrastructure data in plaintext after operators believe migration is complete.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The Level 4 implementation and comments are inconsistent: it computes and stores only a SHA-256-derived obfuscated value, but the deobfuscation path implies the original value may be recoverable. This can cause operators or downstream code to assume identifiers can be restored when they cannot, leading to data loss, broken access flows, and unsafe fallback handling around credential metadata.

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The simulate/check CLI handling is broken: the code mistakenly uses args.command, which holds the subcommand name, instead of the user-supplied --command value. This can cause the permission evaluation and audit trail for exec operations to inspect and log 'simulate' rather than the actual shell command, undermining the core security purpose of the script and potentially allowing dangerous commands to appear harmless during review.

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: The wrapper indicates that approval is required, but the code only prints a simulated approval message and then immediately executes the original function. This defeats the approval control entirely, allowing high-risk actions to run without any real human confirmation despite claiming a protected workflow.

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: This is a real integrity flaw in the test script: after worker.execute_task() returns, the worker clears self.current_task, but execute_tasks() then reads worker.current_task and appends None instead of the completed task. As a result, task completion/failure tracking and reporting are corrupted, which can cause the script to falsely claim the Coordinator+Worker workflow was validated when it was not.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The protocol explicitly permits create/modify/delete operations and defines write-task execution rules, but it does not require user confirmation, change review, or impact disclosure before destructive actions. In a multi-agent setting, this increases the chance of unintended or unauthorized file changes propagating quickly across workers.

Missing User Warnings

Medium

Confidence: 85% confidence
Finding: The script writes a migrated config and later a report containing credential metadata without clear advance disclosure before execution. In a credential-handling tool, surprising creation of persistent artifacts can cause operators to leave sensitive metadata in less protected locations than intended.

Missing User Warnings

High

Confidence: 90% confidence
Finding: The tool copies the original config to a backup and writes a migrated file, both of which can contain sensitive credential data or metadata, without prominently warning the operator beforehand. This increases the number of files containing secrets and may leave plaintext credentials resident on disk even after migration.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The audit logger stores raw params, result, and user_context directly to JSONL without redaction. In a permission-checking system, these fields can contain secrets, sensitive file paths, tokens, or dangerous commands, so persistent plaintext logging increases exposure to anyone who can read logs or backups.

Missing User Warnings

High

Confidence: 99% confidence
Finding: Approval-required and approval-then-sandbox branches rely on placeholder text such as '[模拟: 用户批准后继续]' rather than an actual confirmation mechanism. In a security integration component, this creates a dangerous mismatch between policy and enforcement, enabling unauthorized execution of sensitive tools.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The prompt fragment explicitly instructs the agent to write mistakes, root causes, fixes, and prevention rules into MEMORY.md after each error. In an agent system, that creates a persistent natural-language retention channel that can store sensitive user content, operational details, secrets, or security-relevant failures beyond the original session, increasing privacy leakage and prompt/context contamination risk.

Ssd 3

Medium

Confidence: 91% confidence
Finding: The conversation summarization and memory injection flow intentionally carries user and assistant content forward into future prompts, including extracted preferences and project state. Without sensitivity filtering, consent controls, or provenance boundaries, this can propagate confidential or attacker-supplied text across sessions, causing data leakage, prompt injection persistence, and unintended reuse of stale or malicious instructions.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal