Ai Reach Kit

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed marketing and publishing kit, but users should review the publish script before running it because it can publish a skill to ClawHub.

Install only if you want a marketing/outreach kit for OpenClaw skills. Before running scripts/publish-to-clawhub.sh, inspect it, confirm the target directory, and make sure you are ready to publish using your active ClawHub account. Customize outreach templates and avoid spammy or unsolicited bulk DMs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill advertises a '1-click' publish script and instructs users to execute it without describing what the script changes, where it deploys, what credentials it uses, or what safeguards exist. In a package explicitly aimed at marketing and monetization, encouraging blind execution of deployment automation increases the risk of unintended publication, credential misuse, or execution of harmful shell commands.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script performs an irreversible external publishing action immediately after changing into the provided directory, without any interactive confirmation, dry-run mode, or explicit safety check. In an agent or automation context, this increases the risk of accidental publication of the wrong skill, sensitive content, or unreviewed changes if the script is invoked with unintended arguments.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal