Solvea Chat

Security checks across malware telemetry and agentic risk

Overview

This skill appears to provide the advertised Solvea customer-service integration, but it has review-worthy handling of credentials, customer logs, local agent configuration, and uninstall deletion.

Review before installing on a real customer channel. Use a dedicated new OpenClaw agent and back up openclaw.json/workspace files before setup. Avoid running setup in shared or recorded terminals, restrict permissions on the .env file, and consider disabling or redacting solvea-chat.log before handling sensitive customer messages. Be careful with uninstall prompts that delete a workspace directory.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (9)

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The manifest says the skill must never be called for slash-prefixed commands, but the documentation later instructs agents to invoke it for `/reset`. This inconsistency can cause orchestrators or agents to route administrative commands into a customer-service API path unexpectedly, enabling unintended session clearing or command-handling confusion.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The inline usage guide operationalizes behavior that contradicts the manifest by documenting reset handling after stating slash-prefixed commands should never invoke the skill. In an agent ecosystem, contradictory instructions are dangerous because they create nondeterministic control flow and may let users trigger state-changing operations through messages that should have been ignored.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The script logs full customer messages and full API results, which can contain sensitive personal data, support details, and server-returned identifiers, into a persistent local file under the workspace. For a customer-service chat skill, this creates unnecessary data retention and expands exposure to anyone or any process with local file access, especially because logging is enabled at DEBUG level by default.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The uninstall script offers to recursively delete the agent workspace path taken from configuration, and the path is not constrained to a skill-owned directory. If the config is malformed, maliciously edited, or points at an unexpected location, a user confirming deletion could erase arbitrary directories under their account. In the context of a chat-API skill, destructive filesystem deletion is broader than the stated purpose and increases risk.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The script prints the full contents of an existing .env file to the terminal, which can expose API credentials such as SOLVEA_API_KEY to anyone with terminal visibility, shell logging, screen recording, or session transcript capture. In an installer for a customer-service integration, these secrets are real operational credentials, so disclosure materially increases account-compromise risk.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly routes every customer message to an external Solvea platform and even mandates verbatim forwarding, but it does not ensure users are warned that their inputs are being transmitted off-platform. This creates a privacy and consent gap: users may disclose personal, financial, or account information believing they are only interacting locally, increasing compliance and data-handling risk.

Unpinned Dependencies

Low

Category: Supply Chain
Content: httpx>=0.27.0 python-dotenv>=1.0.0
Confidence: 95% confidence
Finding: httpx>=0.27.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: httpx>=0.27.0 python-dotenv>=1.0.0
Confidence: 95% confidence
Finding: python-dotenv>=1.0.0

Known Vulnerable Dependency: python-dotenv — 1 advisory(ies): CVE-2026-28684 (python-dotenv: Symlink following in set_key allows arbitrary file overwrite via )

Low

Category: Supply Chain
Confidence: 68% confidence
Finding: python-dotenv

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal