Back to skill

Security audit

Openclaw Rappi

Security checks across malware telemetry and agentic risk

Overview

This Rappi ordering skill has clear checkout approval safeguards, but it also tells the agent to auto-install and run unpinned GitHub code as a persistent local service with access to a logged-in browser session.

Install only if you trust the external openclaw-rappi GitHub service and are comfortable with a background local service controlling a dedicated logged-in Rappi browser profile. Review checkout details carefully, use the exact approval phrase only for orders you intend to pay for, and look for separate instructions to stop or uninstall the service.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill instructs the agent to automatically clone code from GitHub, run npm install/build, and start a local service if it is missing. That introduces a broad arbitrary code execution and supply-chain trust boundary far beyond merely using an existing local ordering service, and it could execute attacker-controlled code if the repository or dependencies are compromised.

Context-Inappropriate Capability

Low
Confidence
83% confidence
Finding
Launching Chrome with a dedicated profile and remote debugging enabled grants host-control/browser-control capability beyond the narrow business action of placing an order. Even if intended for visible-user automation, opening a browser with CDP enabled can expose sensitive session data and create a reusable control channel over the user's authenticated browsing context.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.