Back to skill

Security audit

Interview

Security checks across malware telemetry and agentic risk

Overview

This interview-prep skill saves interview notes locally and does not show evidence of external sharing, credential access, destructive actions, or hidden execution.

Install only if you are comfortable with interview targets, roles, and story notes being stored locally in the OpenClaw workspace. Avoid entering confidential employer or compensation details unless needed, and periodically review or delete the local interview memory files if using a shared machine.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill advertises local persistence under `memory/interview/` and references multiple scripts that can read and write files, but no explicit permissions are declared. This creates a capability/manifest mismatch that weakens platform controls and reviewability, especially because the stored content includes sensitive interview notes, salary strategies, and feedback that could be modified or retained without clear user-visible authorization boundaries.

Missing User Warnings

Low
Confidence
86% confidence
Finding
The script persists interview-related data to ~/.openclaw/workspace/memory/interview/research.json without warning the user in the file description or comments. While the stored fields are limited, interview targets and roles can be sensitive career information on shared systems, and silent persistence increases privacy risk and surprise data retention.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.