Back to skill

Security audit

Trugen AI

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only Trugen AI integration skill whose API-key use, recordings, embeds, deletes, webhooks, and tools are disclosed and aligned with managing Trugen agents.

Install only if you want OpenClaw to help manage Trugen AI resources. Use a dedicated Trugen API key if possible, keep it out of browser code, avoid putting personal data in embed URLs, confirm destructive actions before running delete requests, and review privacy controls for recordings, transcripts, memory, uploaded knowledge bases, webhooks, tools, MCPs, and external LLM tokens.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The iframe example places `username`, `id`, and `context` directly in the URL query string, which can expose potentially sensitive user data through browser history, logs, analytics systems, referrer headers, and shared screenshots or copied links. In this skill's embedding context, developers are likely to copy the example verbatim into production integrations, increasing the chance of unnecessary disclosure of personal identifiers and conversational context.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The example enables recording with `"record": true` but provides no privacy, consent, retention, or legal compliance warning. In a conversational video agent platform, this can lead operators to capture user conversations without appropriate notice or controls, creating privacy and regulatory risk.

Tool Parameter Abuse

High
Category
Tool Misuse
Content
## Delete a Document from a KB

`DELETE /v1/ext/kb/doc/{document_id}`

```bash
curl --request DELETE \
Confidence
70% confidence
Finding
DELETE /v1/ext/kb/doc/{document_id}`

Tool Parameter Abuse

High
Category
Tool Misuse
Content
## Delete a Knowledge Base

`DELETE /v1/ext/kb/{id}`

```bash
curl --request DELETE \
Confidence
74% confidence
Finding
DELETE /v1/ext/kb/{id}`

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.prompt_injection_instructions

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
references/prompting-and-use-cases.md:79