Back to skill

Security audit

OpenClaw Guard

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a disclosed backup-and-rollback guard, but its actual runtime config enables messages to a hardcoded Feishu recipient and uses high-impact automatic restore, restart, and deletion behavior that needs review.

Review before installing or running. Edit scripts/config/settings.yaml specifically: disable Feishu notifications unless you want them, remove the hardcoded Open ID, and change the hardcoded backup path. Only use start, restore, check, or clean when automatic file rollback, Gateway restart, and permanent backup deletion are acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill documents shell execution capabilities such as running guard scripts, curl, pkill, cp, and systemctl, but it does not declare corresponding permissions. This creates a transparency and least-privilege problem: an agent or user may authorize the skill based on incomplete metadata, while the documented workflow can modify files, kill processes, and restart services.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The stated purpose is a backup/rollback guard, but the documentation also introduces service health checks, automatic restarts, external webhook alerts, backup management, and manual restore flows. This broader behavior materially increases operational reach and attack surface, especially because it includes outbound network communication and service control that users may not expect from the description.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
Adding Feishu webhook alerting extends the skill from local backup/rollback into outbound communication, which can leak operational metadata and create an unexpected data egress path. In a recovery tool that already handles incident details and file paths, this extra capability makes the skill more sensitive because alerts may expose internal state or be abused for covert notification.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The script's declared purpose is guarding config changes with backup/rollback, but it also sends outbound Feishu messages and elsewhere manages local services. This expands the trust boundary and data flow beyond the stated purpose, which is risky in an agent skill because sensitive state, paths, or incident details may be transmitted externally without a clear need tied to the core function.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The Feishu messaging capability is not necessary for local backup/rollback and introduces an external exfiltration channel. In an agent context, even seemingly harmless operational messages can leak backup paths, timing, and system state to third parties, making the skill more dangerous than advertised.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Health probing and service restart logic go beyond simple file backup/rollback and allow the script to affect system availability and process state. This broadens the scope of impact: a user invoking a backup helper may unintentionally trigger service management operations, which is especially sensitive in automated agent environments.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Restore/rollback overwrites workspace and configuration files directly without confirmation, dry-run output, or file integrity checks. In this skill context those files appear central to agent behavior and user state, so accidental invocation or stale backup restoration can cause silent data loss or unexpected agent reconfiguration.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Old backup cleanup recursively deletes directories recorded in the backup list without confirmation and with limited validation. If the list is corrupted or tampered with, the script could delete unintended paths, and even without tampering it performs irreversible deletion silently.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The clean command permanently removes backup directories with rm -rf based on an age parameter and provides no confirmation or preview. In a recovery-oriented tool, deleting backups is particularly dangerous because it destroys the very rollback artifacts users rely on, and mistakes in parameters can remove needed recovery points.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.