openclaw-security-patrol

Security checks across malware telemetry and agentic risk

Overview

This is a coherent security-audit skill, but it under-discloses persistent device identification in local mode and relies on sensitive host inspection plus optional identifiable uploads.

Review before installing. Use local mode only if you are comfortable with a host-level audit that reads logs, process metadata, SSH/system configuration, workspace files, and installed skill inventory. Use --push only if you trust Changeway/auth.ctct.cn with device identifiers and audit summaries. Avoid scheduled scans unless you want ongoing local inspection, and do not rely on the embedded integrity hash until the publisher fixes it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger

Findings (12)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill declares `credentials: none` and no explicit permissions, yet its documented behavior includes command execution, environment access, and broad reading of sensitive local state. This permission/capability mismatch is dangerous because users and policy engines may underestimate what the skill can actually access and execute.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The documented purpose understates the breadth of collection and inspection: the skill appears to read additional sensitive files, inspect workspace contents for secrets, enumerate processes/ports/logs, and perform extra remote assessment activity in `--push` mode. In a security-audit skill this broader access is contextually plausible, but failing to fully disclose it materially increases privacy and security risk because users may consent to less than what is actually performed.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: In --push mode, the script transmits more than a minimal audit summary: it sends a persistent agent_id plus host-identifying headers including MAC address, hostname, timestamp, nonce, and a derived signature. That exceeds the manifest's plain-language expectation of 'summary data upload' and creates unnecessary device fingerprinting and tracking risk, especially because the identifier is stable across runs.

Context-Inappropriate Capability

Medium

Confidence: 86% confidence
Finding: The script reads another process's environment block from /proc/<pid>/environ and enumerates variables whose names suggest secrets. Even though values are redacted in output, this still inspects sensitive process memory-derived metadata that may not be expected by users and can reveal secret inventory or naming conventions.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The heuristic DLP scan recursively reads files under the workspace to detect private-key-like hex strings and mnemonic phrases. This broad content inspection goes beyond the manifest's declared sources and can read arbitrary user project material, increasing exposure of secrets and sensitive documents during a security audit.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The trigger phrases include very broad terms like '巡检', '检查安全', and '系统安全', which can overlap with ordinary conversation and cause unintended invocation of a powerful skill. Because this skill reads sensitive system information and can persist reports or set cron tasks, accidental activation increases the chance of unauthorized data access or confusing consent flows.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: When --push is enabled, host-identifying telemetry is sent automatically, but there is no in-script user-facing warning or interactive confirmation at the point of transmission. Relying on a CLI flag alone is weak consent when the payload includes persistent identifiers and device metadata.

Sudo/Root Execution

Medium

Category: Privilege Escalation
Content: 必需：Node.js v18+ 可选：openclaw CLI（用于定时任务管理；若使用定时巡检功能，需依赖 openclaw cron 命令）脚本调用的系统命令（缺失时对应检查项会 SKIP，不影响其他项）： macOS：find、lsof、netstat、ps、last、lastb、grep、awk、cat、sudo Linux：find、ss、lsof、ps、journalctl、last、lastb、grep、awk、cat、sudo Windows：wmic、netstat、tasklist、findstr
Confidence: 80% confidence
Finding: sudo

Sudo/Root Execution

Medium

Category: Privilege Escalation
Content: 可选：openclaw CLI（用于定时任务管理；若使用定时巡检功能，需依赖 openclaw cron 命令）脚本调用的系统命令（缺失时对应检查项会 SKIP，不影响其他项）： macOS：find、lsof、netstat、ps、last、lastb、grep、awk、cat、sudo Linux：find、ss、lsof、ps、journalctl、last、lastb、grep、awk、cat、sudo Windows：wmic、netstat、tasklist、findstr security_notes: |
Confidence: 80% confidence
Finding: sudo

Credential Access

High

Category: Privilege Escalation
Content: } else { configFiles.push( '/etc/ssh/sshd_config', path.join(HOME, '.ssh/authorized_keys'), path.join(HOME, '.ssh/config'), '/etc/passwd', '/etc/shadow'
Confidence: 84% confidence
Finding: .ssh/authorized_keys

Credential Access

High

Category: Privilege Escalation
Content: path.join(HOME, '.ssh/authorized_keys'), path.join(HOME, '.ssh/config'), '/etc/passwd', '/etc/shadow' ); }
Confidence: 96% confidence
Finding: /etc/shadow

Session Persistence

Medium

Category: Rogue Agent
Content: **关于定时任务的硬性要求**： - 必须使用 `openclaw cron add` 命令 - 禁止使用系统 crontab（`crontab -e` 等） - 原因：系统 crontab 无法正确初始化 OpenClaw 环境，会导致执行失败 - ⚠️ 基础设施绑定说明：使用 `openclaw cron` 会将定时执行与 openclaw 基础设施绑定；如不希望依赖此基础设施，可不设置定时任务，改为手动执行 - **cron 命令中严禁添加 `--push` 参数**：定时任务只以本地离线模式运行，绝不自动向远端上报设备标识
Confidence: 88% confidence
Finding: crontab -e

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal