Back to skill

Security audit

Agent Deployment Kit

Security checks across malware telemetry and agentic risk

Overview

This documentation-only skill is mostly coherent, but it needs Review because some troubleshooting guidance weakens safety checks for agent deployment and directory overwrite workflows.

Treat this as design guidance, not ready-to-copy deployment code. Before using it, correct the troubleshooting guidance to type-check first, remove or tightly control force override, require dry-run/path confirmation/backups for any overwrite, and test the sentinel gate against null, numbers, arrays, objects, empty strings, and sentinel strings.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
The troubleshooting entry tells users to 'Serialize before testing', but earlier sections explicitly explain that serialization such as `JSON.stringify(v ?? '')` launders invalid values like `null` into empty strings and causes the sentinel gate to fail open. Because this guidance directly contradicts the intended safety control, an implementer could adopt the unsafe pattern and silently allow unknown or invalid values into deployment.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The troubleshooting guidance permits a 'force-override' path when the target exists but lacks the install marker, without requiring a strong warning, confirmation flow, or recovery procedure. In a skill centered on filesystem deployment and rename/delete operations, that advice can normalize overriding safety checks and lead to accidental overwrite or destruction of unrelated directories.

Tool Parameter Abuse

High
Category
Tool Misuse
Content
| **Post-render validation on the files, not the vars:** 0 residual `{{...}}`, every `.json` re-parsed. | A value carrying a quote produces valid-looking, broken JSON. The render is not the deliverable — the files are. |
| **Validate `INSTALL_DIRNAME` before use:** single segment `[A-Za-z0-9._-]+`, never `.` or `..`. | It looks like a name, it is a path fragment. `".."` resolves the target to your home directory and the deploy **renames it**. Valid JSON, no placeholder, no error. Verified: `path.join(os.homedir(), "..")` → `/Users`. |
| **Own a directory before you wipe it.** Write an ownership marker when you create `out/`; refuse any `out/` lacking it. | `out/` is the default build dir of tsc, next export and webpack. "Rebuilt from scratch every run" reads as hygiene and executes as `rm -rf` on a stranger's build tree. |
| **One guard function, called from every destructive path.** Count your `rmSync`/`renameSync` call sites, not your guards. | The obvious path refuses, a sibling entry point still wipes. Reproduced: a foreign `out/dist/bundle.js` survived a plain render (exit 1) and was destroyed by the purge path (exit 0) — the purge reached its own `rmSync` through an early exit, *before* the guard line. The path that bites is never the one you tested. |
| **Require an install marker before overwriting.** Refuse `$HOME`, refuse `/`, refuse a target with no `openclaw.json`; back up to `<home>.bak-<ISO>` first. | The marker test is the only thing between a typo (`~/Documents` for `~/Documents/.agent`) and a renamed real folder. `renameSync` never asks. |
| **Set modes on the destination, after write *and* after the copy:** 0700 dirs, 0600 files, 0700 `.sh`. | A rendered file is a **new** file at the umask (0644) — rendered secrets land world-readable. A copy carries bytes, not modes: the chmod you did before it is gone. Fails weeks later as `permission denied`, or never, which is worse. |
| **Deploy is opt-in; default stops at `out/`** so a human reads it first. |
...[truncated 24 chars]
Confidence
90% confidence
Finding
rmSync`/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.