Back to skill

Security audit

Consulting

Security checks across malware telemetry and agentic risk

Overview

This consulting skill transparently stores engagement notes locally and shows no evidence of network access, credential use, hidden behavior, or destructive actions.

Install only if you are comfortable saving client names and engagement problems in local OpenClaw workspace memory. Avoid entering unnecessary confidential or regulated client details, review or delete old records when needed, and inspect any additional helper scripts if future versions add them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill declares local data storage and references multiple scripts plus writable files under `memory/consulting/`, which implies file read/write capability without an explicit permissions declaration. This creates a transparency and enforcement gap: the host may invoke a skill that can access or persist sensitive client data even though the manifest does not clearly communicate or constrain that access.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger description is broad enough to match many ordinary business conversations about proposals, pricing, relationships, or deliverables, increasing the chance of unintended invocation. In this skill, accidental activation is more concerning because it is designed to read and write confidential consulting records, so a misfire could expose, mix, or persist sensitive client information inappropriately.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.