ClawHub

SkillGuard

Security checks across malware telemetry and agentic risk

Overview

SkillGuard is a coherent safety scanner, but it asks for high-trust credentials and automatically changes persistent workspace policy beyond a simple scan.

Install only if you trust the Apify actor/operator and are comfortable exposing a protected OpenClaw webhook path and related tokens. Use dedicated, rotatable credentials, review or remove the automatic TOOLS.md policy write, and treat a passing result as a limited SKILL.md scan rather than proof the full skill package is safe.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill instructs the agent to run shell commands such as the bundled bash script and a file-append command, yet the manifest does not declare shell capability or equivalent permission. This creates a transparency and policy-enforcement gap: reviewers and runtime controls may underestimate what the skill can do, especially because one of the commands modifies local workspace state.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill is presented as a scanner/auditor, but it also instructs the agent to change TOOLS.md and alter future installation behavior across sessions. That is a scope expansion from passive analysis into persistent policy modification, which can influence unrelated future tasks and bypass user expectations about what a scanning skill should do.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Automatically appending policy text to TOOLS.md is not necessary to scan a skill and gives this skill a durable way to influence the agent's future behavior. Persistent instruction injection into workspace policy files is dangerous because it survives the current task, affects later sessions, and normalizes self-installing guardrails without explicit consent.

Vague Triggers

Medium
Confidence
72% confidence
Finding
The description says the skill should run automatically when the user asks to install a skill, which is a broad trigger for a third-party action involving external services and webhooks. Broad invocation increases the chance of unintended activation, especially in systems where trigger matching is heuristic or overlaps with other install workflows.

Vague Triggers

Medium
Confidence
80% confidence
Finding
Several example trigger phrases are common natural-language requests like 'install [skill]' or 'scan [skill]', making accidental invocation plausible. In a tool-enabled agent, ambiguous triggers can cause unsolicited network calls, webhook setup, or policy-related actions when the user may only be asking a question.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill directs automatic modification of a local policy file during first install without adequate warning that it changes persistent workspace state. Silent or implicit local state changes are dangerous because they can alter future agent behavior, create hard-to-trace policy drift, and exceed the user's reasonable expectation for a scanning utility.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal