Openclaw Spirits

Security checks across malware telemetry and agentic risk

Overview

This is a self-contained virtual companion skill with disclosed local storage and ambient-message behavior, but no evidence of exfiltration, credential access, destructive actions, or hidden persistence.

Install this only if you are comfortable with a virtual pet being generated from a stable user identifier or username and saved locally in the skill directory. If unsolicited companion messages would be distracting, configure the agent to respond only to explicit commands such as `spirit`, `spirit show`, or `spirit talk`.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (10)

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The skill allows activation from broad phrases and even by calling the spirit’s name with no command prefix, which can cause unintended triggering during normal conversation. In an agent environment, ambiguous invocation rules can let the skill hijack unrelated user messages, produce unwanted outputs, and interfere with higher-priority tasks or sensitive interactions.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The passive appearance rules permit agent-initiated messages on common events like greetings, inactivity, random heartbeat, and achievements. Even though the text says to keep them subtle, these triggers are broad enough to create unsolicited outputs, context collisions, and surprise disclosures in conversations where users did not explicitly ask for the companion system.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The setup instructs the agent to derive a spirit from a user’s platform identifier and save the resulting companion data to disk, but the skill description does not clearly warn users that identity-derived data is persisted locally. This creates a transparency and privacy issue: users may unknowingly have profile-like data generated from their identity and retained across sessions.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The README describes ambient, unsolicited behavior such as the spirit appearing on its own, speaking during quiet moments, and reacting to user activity, while only loosely stating that it 'never interrupts serious work.' Those triggers are subjective and lack explicit opt-in, rate limits, or context boundaries, which can cause the skill to activate unexpectedly in unrelated or sensitive workflows and create prompt-surface or distraction risks.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The activation description includes broad triggers such as generic references to pets, companions, or first install, which can cause the skill to run without a clear, intentional user request. In a conversational agent, unintended invocation can disrupt normal interactions, create confusing autonomous behavior, and trigger storage or generation steps based on user identity without explicit consent.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: Allowing invocation by just the spirit's name or without a command prefix is highly ambiguous and can be triggered during ordinary conversation. This makes the skill prone to accidental takeover of the interaction flow, especially if the generated name overlaps with common words or names mentioned in unrelated contexts.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The passive appearance rules authorize agent-initiated messages on broad conditions like greetings, long silence, random heartbeat chance, or achievement detection, but the boundaries are not enforceable or precise. This can lead to unprompted content injection into conversations, including in contexts where it is distracting, privacy-invasive, or inconsistent with user expectations.

Natural-Language Policy Violations

Medium

Confidence: 87% confidence
Finding: The skill prescribes a Chinese output format for Feishu or Chinese users based on platform or inferred user category rather than asking the user which language they want. This can mis-handle multilingual users, override user preference, and create a poor or exclusionary experience, though the security impact is limited compared with code execution or data exfiltration issues.

Natural-Language Policy Violations

Medium

Confidence: 86% confidence
Finding: Forcing English output for Telegram, Discord, or English users without explicit selection creates the same preference override problem in the opposite direction. While primarily a product-safety and UX issue, it can still cause unintended disclosure or misunderstanding if the wrong language is used in mixed-language environments.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The passive presence rules use broad conversational triggers such as greetings, heartbeat events, and long silence, which can cause the spirit to speak without an explicit user request. In an agent context, unsolicited output can interrupt normal conversations, create confusion, and leak stateful behavior into workflows that did not intend to invoke the skill.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal