Back to skill

Security audit

Install Hirey AI on OpenClaw

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Hirey AI/OpenClaw installer, but it uses scanner-avoidance/direct config edits and the shipped artifact is missing the vendor payload it says it will install.

Review before installing. This skill will change your OpenClaw configuration, enable local hooks, add a Hi MCP server, store tokens/session routing under ~/.openclaw, and connect the agent to Hirey AI. The current artifact does not include the vendor files it claims to copy, so it may fail or leave broken persistent config. Prefer a corrected release, or back up ~/.openclaw/openclaw.json and be ready to run the provided cleanup path before testing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Ssd 2

High
Confidence
99% confidence
Finding
The comments explicitly describe avoiding the installer scanner's detection rules by restructuring code and even avoiding sensitive substrings so the scanner will not flag the package. Deliberately engineering around a security scanner is dangerous because it defeats a trust control meant to warn users about risky install behavior, and in this context it increases suspicion that the package author is trying to conceal security-relevant behavior from review and policy enforcement.

Hidden Instructions

High
Category
Prompt Injection
Content
/**
 * Strip JSON5-flavor comments so JSON.parse can consume the remainder. Handles:
 *   - // line comments (until \n or EOF)
 *   - /* block comments *‍/  (greedy until next *‍/)
 *   - never strips inside string literals (quote-aware state machine)
 *
 * Trailing commas remain after stripping; we keep a small post-pass that drops
Confidence
60% confidence
Finding

Hidden Instructions

High
Category
Prompt Injection
Content
/**
 * Strip JSON5-flavor comments so JSON.parse can consume the remainder. Handles:
 *   - // line comments (until \n or EOF)
 *   - /* block comments *‍/  (greedy until next *‍/)
 *   - never strips inside string literals (quote-aware state machine)
 *
 * Trailing commas remain after stripping; we keep a small post-pass that drops
Confidence
60% confidence
Finding

Tool Parameter Abuse

High
Category
Tool Misuse
Content
* Behavior:
 *   - destRoot is created if missing (recursive mkdir)
 *   - existing files at the same relative path are overwritten (idempotent re-install)
 *   - file modes preserved via fs.copyFile + fs.chmod from source stat
 *   - bin/ symlinks under node_modules/.bin/ are honored (recreated at dest)
 *
 * Runs in O(file count) on the source tree; called once per `setup` invocation.
Confidence
80% confidence
Finding
chmod from source stat * - bin/ symlinks under node_modules/.bin/ are honored (recreated at dest) * * Runs in O(file count) on the source tree; called once per `setup` invocation. */ export asyn

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Static analysis

No suspicious patterns detected.