OpenClaw Role Builder

Security checks across malware telemetry and agentic risk

Overview

This role/photo skill is mostly coherent, but it needs Review because it can initiate payment top-up flows and its API helper can send credentials to caller-chosen hosts despite claiming requests are restricted.

Install only if you are comfortable with persistent OpenClaw role state, TuQu API calls, and payment-related account features. Use a limited or disposable TuQu service key, avoid --base-url and full URL paths, review any recharge action manually before opening QR codes or checkout links, and periodically inspect or delete stored roles and memory under ~/.openclaw.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (13)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill advertises and documents filesystem access, session persistence, and outbound API use, but there is no explicit permission declaration in the skill metadata for those capabilities. That creates a mismatch between what the platform and user may expect versus what the skill can actually do, increasing the risk of over-privileged execution and reducing informed consent for network and file operations.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The documentation exposes recharge and payment operations that are outside the advertised role-building/image-generation scope, creating a capability expansion that could let the agent initiate billing-related actions unexpectedly. In an agent setting, undocumented or weakly justified financial operations increase the risk of unauthorized purchases, social-engineering-assisted spend, or prompt-driven misuse if higher-level safeguards rely on the manifest description.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: Including billing and payment workflow guidance in a role-builder/image-generation skill is context-inappropriate and expands the operational surface from content generation into financial transactions. That mismatch is dangerous because users and orchestration layers may grant the skill broad trust for media tasks, not realizing it also contains instructions for balance checks and recharge flows that could be abused.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The workflow documentation expands the skill from role/photo generation into billing operations by describing how to list recharge plans and create WeChat or Stripe payment sessions. In an agent setting, exposing payment-capable endpoints inside a creative-media skill increases the chance the agent will initiate financial actions that are unnecessary for the user’s core task, creating scope creep and unauthorized transaction risk.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The documentation explicitly instructs the agent to create external payment artifacts such as WeChat recharge orders and Stripe checkout sessions, which is a materially sensitive capability unrelated to building roles or generating images. If an agent follows these instructions, it could trigger payment flows, expose payment links or QR codes, and facilitate unauthorized spending or social-engineered billing actions.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The helper permits fully qualified http/https URLs in the path argument, which bypasses the endpoint allowlist and lets callers direct requests to arbitrary destinations. In an agent skill intended for Tuqu/OpenClaw image workflows, this expands the tool into a general-purpose network client and can enable SSRF-style access, exfiltration to attacker-controlled hosts, or misuse of any provided credentials.

Description-Behavior Mismatch

Medium

Confidence: 87% confidence
Finding: The helper includes billing, recharge, and payment-related endpoints that are outside the stated role-building and image-generation purpose of the skill. Exposing monetization operations in a broader creative agent increases the attack surface and creates a path for unauthorized financial actions if the tool is invoked with valid keys.

Vague Triggers

Medium

Confidence: 80% confidence
Finding: The trigger examples include very broad natural-language phrases such as generic image-generation requests, which can cause the skill to activate unintentionally during normal conversation. Because this skill can write persistent role data and make networked image-generation calls, accidental invocation can lead to unintended external requests, state changes, or charges.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger phrases are broad enough to overlap with ordinary conversation about photos, scenery, or roles, which can cause the skill to activate outside the user's intended scope. In a skill that writes files and manages persistent role state, unintended invocation can lead to unwanted workspace changes, persona creation, or role switching without sufficiently explicit user consent.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The activation scope covers character creation, clone creation, switching roles, and image-related operations with limited boundary conditions, making it ambiguous when the skill should take control. Because the skill performs persistent filesystem writes under ~/.openclaw and can alter the active workspace, unclear invocation criteria increase the risk of accidental state changes from loosely related user prompts.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The template directs the agent to persist memory across sessions and to update files when the user says 'remember this,' but it does not require a clear warning about retention, scope, or how long data will persist. In a role-building skill that may handle persona, relationship, and image-generation context, this can lead to users unintentionally disclosing and permanently storing sensitive personal information.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The reference explicitly permits credentials in request bodies and query parameters without cautioning that these locations are commonly logged by clients, proxies, analytics layers, and server middleware. This increases the chance of service key exposure and subsequent unauthorized image generation, character management, history access, or billing actions.

Session Persistence

Medium

Category: Rogue Agent
Content: --- name: openclaw-role-builder description: >- Build and manage OpenClaw roles — create a full AI character role from any public figure or fictional character, then generate identity-consistent selfies and photos for that role. Use when building roles (创建角色, 创建clone, 新建人物, build a role), switching the active role (/shift, 切换角色), taking
Confidence: 84% confidence
Finding: create a full AI character role from any public figure or fictional character, then generate identity-consistent selfies and photos for that role. Use when building roles (创建角色, 创建clone, 新建人物, b

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal