OpenPot Awareness

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate OpenPot integration skill, but it needs Review because it combines powerful calendar, SSH, device-pairing, and chat-history access with incomplete privacy and control disclosures.

Install only if you want a broad OpenPot control-center integration and are comfortable granting access to calendars, backend chat storage, device pairing, optional SSH terminal access, and third-party voice/weather services. Before enabling it, review all tokens and calendar credentials, use a least-privilege SSH account, decide how chat history will be retained or deleted, and treat ElevenLabs and weather lookups as external data sharing despite the guide's local-only privacy language.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (8)

Context-Inappropriate Capability

High

Confidence: 95% confidence
Finding: The skill goes beyond describing OpenPot content surfaces and instructs the agent to run local administrative commands (`tailscale status`, `openclaw devices list`, `openclaw devices approve`) and to participate in onboarding flows that affect device trust. This materially expands the agent's authority into host/device administration, increasing the risk of unauthorized pairing, environment reconnaissance, and misuse of local CLI capabilities.

Intent-Code Divergence

Medium

Confidence: 90% confidence
Finding: The file contains contradictory directives: a migration section instructs the agent to read and delete content from `SOUL.md`, while the rules section says to never modify `SOUL.md`. Conflicting safety boundaries are dangerous because they create ambiguity that can be exploited or lead the agent to alter protected prompt/configuration files despite an apparent prohibition.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The chat persistence section instructs the agent to store full conversation history in PostgreSQL, expose search/session endpoints, and retain/export messages, but it does not require any user-facing notice about retention, sensitivity of stored content, or deletion/opt-out controls. This creates privacy and compliance risk because users may not understand that conversational data is being backed up, searched, compacted, and exported server-side.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The guide explicitly states that interacting with the Calendar tab 'quietly sends' today/tomorrow schedule data to the agent and that this happens 'silently.' Even if the agent is user-owned, this is still background sharing of sensitive schedule data without a prominent consent notice or clear control, which creates a privacy vulnerability through inadequate transparency.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The Terminal section promotes 'Full SSH terminal access' and key installation workflow without any explicit warning that this enables unrestricted remote command execution on the server. In a skill that teaches agent usage, omitting safety guidance can lead users to grant powerful access without understanding compromise or misuse risks.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The app sends user-entered city names or postal codes to third-party geocoding services without any visible disclosure, consent flow, or privacy notice in the UI. While this is expected for weather lookup functionality, location queries are sensitive data and transmitting them off-device can expose user location interests to external providers.

External Transmission

Medium

Category: Data Exfiltration
Content: // 5-digit numeric = US ZIP code if (/^\d{5}$/.test(query)) { try { const res = await fetch('https://api.zippopotam.us/us/' + query); if (res.ok) { const data = await res.json(); if (data.places && data.places.length > 0) {
Confidence: 86% confidence
Finding: https://api.zippopotam.us/

External Transmission

Medium

Category: Data Exfiltration
Content: } async function fetchWeather(lat, lon) { const url = `https://api.open-meteo.com/v1/forecast?latitude=${lat}&longitude=${lon}&current=temperature_2m,relative_humidity_2m,apparent_temperature,weather_code,wind_speed_10m,is_day&daily=weather_code,temperature_2m_max,temperature_2m_min&temperature_unit=fahrenheit&wind_speed_unit=mph&precipitation_unit=inch&forecast_days=6&timezone=auto`; const res = await fetch(url); return await res.json(); }
Confidence: 90% confidence
Finding: https://api.open-meteo.com/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal