Huo15 Openclaw Enhance

Security checks across malware telemetry and agentic risk

Overview

This is a broad OpenClaw enhancement plugin with sensitive memory, routing, upload, bridge, and persistence features that are only partly disclosed in the visible package summary.

Install only if you want a broad, default-on OpenClaw enhancement suite, not just an upload fix. Review and disable unneeded modules first, especially modelRouter, ccBridge*, dashboard/upload/share, memory export, scheduled tasks, and trajectoryArchiver. Do not run the bundled LaunchAgent scripts or generated launchctl commands unless you explicitly want scheduled file movement/deletion under your user account.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (51)

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The planning document describes a broad capability set—structured memory, workflow automation, dashboards, self-checking, and context pruning—that materially exceeds the manifest’s stated narrow purpose of upload-loop repair and upload-flow guidance. This kind of scope drift is dangerous because reviewers and users may grant trust based on the manifest while the skill actually influences prompts, persistence, and tool behavior in much wider ways.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: Later iterations introduce memory export, task management, workflow persistence, and deeper integration into OpenClaw memory search, none of which are reflected in the stated purpose. Hidden or under-disclosed expansion of data access and persistence capabilities increases the risk of unauthorized data exposure, unexpected autonomy, and reviewer deception.

Description-Behavior Mismatch

High

Confidence: 96% confidence
Finding: The metadata describes a narrowly scoped large-file upload guidance fix, but the entrypoint actually registers a large, multi-capability plugin suite spanning memory, workflow, routing, external bridges, installers, and session tooling. That scope mismatch is dangerous because it defeats operator review and consent boundaries: an administrator expecting a small upload-flow patch would unknowingly deploy broad privileged functionality across many hooks and tools.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: Registering a skill-installation capability inside a plugin advertised as a non-intrusive enhancement/upload-flow fix expands the trust boundary from local augmentation to ecosystem modification. Even if this file only registers the installer and does not directly execute installation here, exposing installation functionality can enable unreviewed acquisition of additional code or skills beyond the operator's original intent.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The code registers multiple bridge and dispatch modules for external services and automated task routing that are unrelated to the stated upload-loop fix. These broaden the attack surface by introducing additional network interactions, dispatch paths, and automation hooks that reviewers would not expect from the manifest, increasing the chance of misuse, misconfiguration, or hidden data flow to other systems.

Description-Behavior Mismatch

High

Confidence: 96% confidence
Finding: This script creates and immediately loads a per-user macOS LaunchAgent, establishing scheduled execution outside the plugin's normal runtime. Even though the stated purpose is a one-time audit, OS-level persistence meaningfully expands the skill's capability and attack surface beyond a 'non-intrusive enhancement' and could be repurposed to run arbitrary code later under the user's account.

Intent-Code Divergence

High

Confidence: 93% confidence
Finding: The comments claim the script only creates a LaunchAgent and does not invoke launchctl load in plugin runtime, but the body later executes unload/load. This mismatch is dangerous because reviewers or users may trust the comments and underestimate the script's persistence behavior, reducing informed consent and making stealthy persistence easier to hide.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The installer modifies the user's OpenClaw workspace by copying multiple skills and patching AGENTS.md/SOUL.md, which is materially broader than the metadata's narrowly framed upload-loop fix and flow guidance. This kind of scope mismatch is dangerous because users may consent to a small bugfix but instead receive persistent prompt and workspace changes that alter agent behavior beyond what was disclosed.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The completion output advertises installation of memory storage/search, safety logging, workflow automation, and a dashboard, none of which are reflected in the provided skill description focused on upload handling. Hidden or undisclosed feature expansion increases risk because it can introduce new data collection, persistence, automation, or network-exposed surfaces that the user did not knowingly approve.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The module materially exceeds the declared upload-flow enhancement scope by adding a hidden prefetch-and-inject capability that enumerates cc-media-bridge sessions and inserts their contents into the model prompt. This creates an undeclared data access and prompt-manipulation path, which is dangerous because users and operators would not expect a plugin for upload guidance to read historical task/session data and steer model output with it.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: This code reads a local dashboard password from the user's home directory and uses it to query session data from a local bridge service, which is unrelated to the skill's stated upload-guidance purpose. Harvesting local credentials/configuration to enumerate sessions is a clear expansion of privileges and can expose sensitive task metadata without informed consent.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: This dashboard module exposes substantial file-upload and file-write functionality, including streaming uploads up to 2GB and writing attacker-controlled content to disk, which materially expands the module's attack surface beyond a simple dashboard. In practice this creates a remote file-drop endpoint under the plugin namespace and returns the server-side filesystem path, enabling storage abuse, sensitive path disclosure, and possible chaining with other local-processing components that may later consume uploaded files unsafely.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The code derives and caches a base URL from incoming requests for later link generation. If the host/proto information is influenced by untrusted request headers or reverse-proxy metadata, an attacker can poison generated links, causing the system to produce attacker-controlled URLs that may be sent to users or other agents.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The module registers an unrelated `enhance_memory_export` tool that serializes and returns up to 1000 stored memories, including content, tags, agent identifiers, timestamps, and auxiliary fields, directly in the model-visible tool response. In a memory integration plugin, this creates a bulk exfiltration path for cross-session user data that exceeds the stated non-intrusive integration purpose and can be invoked without any apparent authorization, confirmation, redaction, or scope restriction.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The bulk export capability is not justified by the skill's described purpose and exposes the full memory corpus in one call, making it easy for the model or a prompted workflow to retrieve all retained user facts at once. Because these memories are specifically intended to persist across sessions, the export materially increases privacy and data-minimization risk beyond normal retrieval use.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The skill metadata claims a narrow upload-loop fix, but this file registers a substantial model-routing and provider-management subsystem with multiple administrative tools. This scope mismatch is dangerous because it silently expands the plugin's authority to influence model selection and runtime behavior far beyond the declared purpose, undermining reviewability and informed consent.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The code reads global configuration from ~/.openclaw/openclaw.json during startup even though the skill is presented as an upload-flow enhancement. Accessing host-global model/provider configuration increases the skill's knowledge of the environment and couples it to sensitive runtime state that was not disclosed in the stated feature scope.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: These tools can modify routing mode, enable/disable providers, reprioritize models, and clear bans, which are privileged administrative actions unrelated to the advertised upload fix. If exposed to the agent or triggered unexpectedly, they could change which providers receive prompts and attachments, alter cost/performance characteristics, or disable safeguards without the operator realizing this skill has that authority.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The skill continuously records model latency/error telemetry and uses it to trigger circuit-breaker and quota-ban behavior, which changes routing decisions over time. Although likely intended for resilience, this creates hidden stateful behavior outside the skill's declared upload purpose and can redirect traffic between providers based on observed failures, affecting data flow and service availability.

Intent-Code Divergence

Low

Confidence: 89% confidence
Finding: The tool accepts a user-controlled workspace path and then performs unrestricted filesystem inspection under that path, including directory enumeration and reading manifest-like files. Although it is 'read-only', this still enables local file and directory probing outside the intended OpenClaw workspace, which can leak sensitive path structure, installed software names, and file contents matching skill manifest names.

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The module advertises itself as "read-only + return-cliCmd", but the returned command writes a shell script and LaunchAgent plist, loads the agent, starts it immediately, and then moves and deletes session-related files. This mismatch is dangerous because users or higher-level orchestration may trust the tool as non-destructive when it actually facilitates persistence and file deletion once copied into a shell.

Description-Behavior Mismatch

High

Confidence: 96% confidence
Finding: The skill manifest describes a narrow upload-flow enhancement, but this file implements a general-purpose persistent data layer covering memories, notifications, todos, chapters, scheduled tasks, and profiling-related migrations. That scope expansion materially increases the plugin’s capability surface and data retention footprint beyond what a user or reviewer would reasonably expect, creating a stealthy persistence mechanism that could store conversation data and operational state long-term.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The gamified pet-state subsystem is unrelated to the declared upload-processing purpose and introduces unnecessary persistent user state. Even if intended as harmless UX, hidden or undisclosed state collection broadens what the plugin can track over time and weakens least-privilege expectations for this skill.

Context-Inappropriate Capability

High

Confidence: 95% confidence
Finding: Persisting scheduled task bindings is substantially outside the stated upload-flow scope and enables durable automation behavior across sessions. In a plugin advertised as a non-invasive upload enhancement, hidden task persistence is dangerous because it can support future autonomous actions or instruction replay not apparent from the manifest.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: This file implements broad persistence for memories, todos, chapters, notifications, and safety logs, far exceeding an upload-flow fix. Such overbroad storage increases the chance of collecting sensitive user content, retaining it longer than expected, and enabling cross-session behavioral control or surveillance under the cover of a narrowly described plugin.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal