Back to skill

Security audit

References

Security checks across malware telemetry and agentic risk

Overview

The main security-audit tool is plausible, but the package also contains undisclosed unrelated scripts that can send chat messages and process payment files.

Review before installing. Use the audit script only if you are comfortable with it inspecting local configuration, environment-variable names, git history, ports, and writing reports. Do not run or keep the unrelated reminder and payment scripts unless you explicitly need them; rotate the exposed WeCom webhook if it belongs to you, and review/redact any audit report before sending it to Feishu or any webhook.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (24)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill describes capabilities to read environment variables, inspect files, write reports, invoke shell commands, and send data externally, yet it declares no permissions. That mismatch prevents informed consent and weakens sandbox/policy enforcement, especially because the audited data may include secrets from env vars, configs, git history, and local files.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The documented behavior for a security-audit skill is inconsistent with additional capabilities reported by static analysis, including unrelated reminder sending, payment/billing file aggregation, hardcoded webhook usage, and external network transmission. A security tool with hidden unrelated behaviors is especially dangerous because users are likely to grant it broad trust and expose sensitive filesystem, environment, and report data.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The document explicitly recommends `exec()` as an alternative to `eval()` in Python, which is unsafe guidance because `exec()` also executes attacker-controlled code and does not mitigate code injection risk. In a security-best-practices skill, incorrect defensive advice is especially dangerous because downstream users may adopt it believing it is safe.

Intent-Code Divergence

Low
Confidence
91% confidence
Finding
The guidance maps Python `exec()` to `subprocess.run()` as if they were equivalent safer substitutes, but they solve different problems: `exec()` executes Python code, while `subprocess.run()` launches external processes. This confusion can lead users to replace one dangerous primitive with another without understanding validation, argument handling, or the need to avoid `shell=True`.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The script's behavior is unrelated to the declared security-audit capability: it sends attendance reminder messages to an external enterprise WeChat webhook. This mismatch is dangerous because users invoking a security skill would not reasonably expect unrelated outbound messaging behavior, creating a trust-boundary violation and increasing the risk of covert or unauthorized actions under a misleading manifest.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The file contains outbound webhook messaging capability that is not justified by the skill's stated purpose of performing security audits. In a security-focused skill, hidden or unnecessary network egress is especially risky because it can be repurposed for data exfiltration, command signaling, or deceptive side effects while users believe they are running only local analysis.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The script's behavior is materially inconsistent with the declared security-audit skill: instead of auditing security, it processes and summarizes personal payment records. In an agent-skill context, this mismatch is dangerous because a user invoking a 'security check' could unknowingly expose sensitive financial files to an unrelated data-processing workflow, violating user expectations and least surprise.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script adds an outbound reporting capability that sends security audit results to Feishu or an OpenClaw-discovered endpoint, which is materially broader than a local audit-only skill. Audit reports often contain sensitive host details, findings, paths, and possibly secrets, so undisclosed exfiltration increases data leakage risk and violates least surprise.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Reading ~/.openclaw/openclaw.json to discover plugin endpoints introduces an undeclared trust boundary and can route audit data to destinations the user did not explicitly specify at runtime. Because the endpoint is config-derived, a compromised or unexpected local configuration can silently influence where sensitive reports are sent.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The code transmits audit report contents over the network to webhook or plugin API endpoints, creating a direct exfiltration path for potentially sensitive security findings. In a security-audit skill, reports may include vulnerabilities, system metadata, file paths, and secrets, making remote transmission especially sensitive if not tightly controlled and disclosed.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
This script implements behavior unrelated to the declared security-audit skill and sends external reminders to a WeCom webhook. In a security-focused skill, undocumented outbound messaging is dangerous because it expands the capability surface, can be used for unauthorized communication or data routing, and indicates possible skill/package mismatch or hidden behavior.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
Outbound messaging to an enterprise chat webhook is not justified by the stated purpose of a security-audit skill. This mismatch makes the capability more dangerous because users invoking a security audit would not reasonably expect the skill to contact third-party endpoints, creating risk of covert notification, data leakage, or abuse of embedded webhook credentials.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The comments explicitly describe a weekly UGC collection reminder, which contradicts the documented purpose of the enclosing security-audit skill. Such intent mismatch is a supply-chain and trust problem: it suggests repurposed or hidden functionality that can mislead operators about what code will run.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger phrases are broad terms like 'security check' and 'audit', which can overlap with normal conversation and cause the skill to run unexpectedly. Because this skill may scan environment variables, files, ports, git state, and potentially send reports externally, accidental activation increases privacy and data-exposure risk.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill documentation does not prominently warn users that it may inspect environment variables and send reports to external services such as Feishu webhooks or plugin APIs. In the context of a security audit tool, those operations can expose credentials, internal host details, and source-code findings unless users explicitly understand and approve them.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The document recommends `npm audit fix` and especially `npm audit fix --force` with only minimal caution, without clearly explaining that these commands can change dependency trees, update lockfiles, introduce breaking upgrades, and alter project state. In a security-audit skill, users may trust and run these commands quickly, which can cause production breakage or unsafe unreviewed changes during remediation.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The aggressive strategy explicitly recommends `npm audit fix --audit-level=moderate --force`, which can perform major-version changes and other disruptive dependency modifications, yet the warning is not strong enough for the level of risk. The surrounding rollback guidance is also unsafe and confused, because it mixes forceful fixes with partial manual restoration of `node_modules`, which may leave the repository and lockfiles in an inconsistent state.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The script sends a secret-backed webhook request without meaningful user-facing disclosure at runtime beyond code comments, which reduces transparency around external communication. While the transmitted message content is not highly sensitive here, undisclosed external transmission from a mislabeled security skill undermines informed consent and can normalize hidden network behavior.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script writes a Markdown report containing payment totals, categories, and filenames to disk without any privacy notice, consent prompt, or permission hardening. In this skill context, that creates an unintended data-at-rest exposure risk because financial information may be stored in a predictable location and later read by other local users, tools, backups, or indexing services.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script appends payment summary metadata, including report path, total amount, and transaction count, to a persistent log file in the user's home directory without explicit disclosure. Even though it logs metadata rather than full bill contents, this still reveals sensitive financial information over time and can create a historical audit trail of the user's finances accessible to other processes or users.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script enumerates the full process environment and classifies potentially sensitive variables without an explicit opt-in, prominent disclosure, or minimization. In an agent skill context, this increases the risk of collecting secrets unrelated to the user's immediate task and surfacing their names or derived metadata into reports and logs.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script can send audit data externally via a webhook without an upfront warning that local security findings will leave the machine. This weakens informed consent and can lead users to expose sensitive report content to third-party services unintentionally.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The plugin path silently reads local OpenClaw/Feishu configuration and posts report data to the discovered API endpoint, without clearly disclosing that a config-derived remote service will receive the report. That hidden indirection is risky because users may not realize where their audit output is being sent or that local config can alter the destination.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script transmits a network message without any user-facing disclosure, confirmation, or runtime notice beyond a local success echo after the fact. In the context of a security-audit skill, silent outbound communication is especially risky because users may run it expecting inspection only, not active external actions.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dynamic_code_execution, suspicious.exposed_secret_literal

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
scripts/security_audit.py:408

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
code-security.md:92