Back to skill

Security audit

Xz01 Dev Skill

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it gives an agent broad live-site and publishing authority with insufficient confirmation gates.

Install only if you intentionally want an agent to operate this specific xz01/900az workflow. Require explicit approval before any /www webroot write, live theme replacement, runtime deletion, Docker/MCP setup, credential use, self-update, or clawhub publish; prefer staging paths and review diffs before release.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (18)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill clearly instructs file reads, file writes, network access, and command execution patterns, but no explicit permission model is declared. That creates a dangerous mismatch where a host system or reviewer may underestimate the skill's operational power, increasing the risk of unintended filesystem or network actions.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The file explicitly instructs deployment and validation against live production URLs and a production webroot, which exceeds a normal testing-only scope and creates a real pathway for accidental production modification. In this skill context, that is more dangerous because the surrounding workflow is about automated template generation and validation, so an agent could treat these instructions as approved operational steps and alter a public site.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
Labeling the sequence as 'safe' is misleading because the documented actions delete and replace the active production theme and clear runtime state on a live site. That framing can lower operator caution and increase the chance that an agent or user executes destructive actions without understanding the production impact.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
These instructions direct the agent to deploy into a live webroot and modify production-adjacent content, which exceeds a read-only reference or coordination role. In an agent skill, this materially increases the chance of unauthorized production changes, outage, defacement, or destructive overwrite if the skill is triggered in the wrong context.

Context-Inappropriate Capability

Low
Confidence
76% confidence
Finding
The file embeds concrete validation and browser automation against live domains, including production hosts, which gives the skill operational behavior beyond passive learning/spec guidance. In context, this is dangerous because it encourages unsolicited external interaction and environment-coupled actions whenever the skill is invoked.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The reference document directs the skill to perform ClawHub publishing, which is outside the described xz01 templating/orchestration scope and grants a release-side effect not justified by the skill’s core purpose. This broadens the skill from local coordination into distribution of artifacts, increasing the chance of unauthorized or accidental public release of modified behavior.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The documented workflow materially expands the skill from development coordination into package/release publication behavior. That scope creep is dangerous because it couples ordinary editing tasks with external release actions, allowing a simple local patch flow to silently become a deployment/publication flow.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill mandates automatic publishing with wording such as executing `clawhub publish` immediately and not asking the user whether to publish. That removes an approval checkpoint for an externally visible state change, which can cause unauthorized or premature release of modified skills.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill directs writing test outputs, validation artifacts, and website verification outputs into `/www/wwwroot/www.900az.com`, which appears to be a live or production-like web root. Writing generated artifacts into a served path can expose internal reports, screenshots, helper outputs, or accidentally affect live site behavior.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The instructions perform destructive file deletion and cache/runtime clearing on a production path without a prominent warning about downtime, rollback risk, or service instability. In this context, omission of safeguards is security-relevant because it normalizes unsafe operational behavior and increases the likelihood of availability-impacting mistakes.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The deployment steps instruct writing into a live webroot and clearing runtime cache without any warning, approval gate, or production-safety language. That makes accidental production modification much more likely, especially for an automated agent that may treat the notes as authorized operating procedure.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The instruction to publish automatically and specifically 'Do not ask whether to publish' removes a critical human approval checkpoint before an external side effect. In an adversarial or mistaken context, this can cause unauthorized releases, propagation of bad changes, and loss of control over what gets distributed under the skill’s identity.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The document explicitly instructs writing state, reports, screenshots, and packaged outputs to real filesystem locations and describes deployment/cache-clearing behavior, but it does not require explicit user confirmation, scope restriction, or safety checks before those actions occur. In an agent skill, this can normalize system-modifying operations as part of routine workflow, increasing the chance of unintended writes, deployments, or destructive cache operations on a live or sensitive environment.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script deletes everything directly under a runtime directory using `rm -rf` with no confirmation, dry-run mode, or strong path safety guard beyond checking that the directory exists. Because the target path is user-controllable via the first argument, an operator error or unexpected invocation could wipe arbitrary directory contents, making this a real destructive-file-operation risk even if the intended purpose is maintenance.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
- `references/session-2026-05-18-pc-nav-scope-validation.md` — validation-scope lesson: when fixing PC top navigation, parse the actual nav container and do not conflate similar labels in lower shortcut/keyword modules with the header nav.
- `references/session-2026-05-18-hermes-native-title-search-repair.md` — direct Hermes xz01 live-site repair lesson: do not call OpenClaw runtime orchestration when the user addresses Hermes; use Hermes-native dev/test delegation, demo read-only reference, shared-head dynamic title repair, theme-only search template fixes, and multi-keyword title validation.
- `references/session-2026-05-18-hermes-native-no-search-regression.md` — user correction and repair pattern for xz01 live-site regressions when Hermes is addressed directly: do not invoke OpenClaw sessions/flow-controller; use Hermes-native verification/delegation; dual-end search boxes should keep visual styling when shown but must be non-functional by default: no `/search` action/link, no enabled input/submit, and no JS submit binding.
- `references/session-2026-05-18-xz01-skill-autopublish.md` — user correction that xz01 skill edits are incomplete until version metadata is synchronized and `clawhub publish` is executed without asking for confirmation.
- `references/session-2026-05-18-pc-mobile-search-visual-repair.md` — live-site search visual repair lesson: PC search must be right/side-aligned and visually weakened rather than top-center; mobile search must be an obvious compact magnifier-style visual-only entry, not merely the absence of a large input; verify 390px mobile card overflow after search/header changes.
- `references/lanhu-mcp-installation.md` — recommended Docker Compose + HTTP MCP setup for `dsphper/lanhu-mcp`, including Hermes native MCP and Claude Code connection examples.
- `references/demo-xz01-may-2026-source-update.md` — read-only learning notes from the May 2026 `demo_xz01` source update, including the user-confirmed rule that front-end PC/mobile sear
...[truncated 24 chars]
Confidence
93% confidence
Finding
without asking

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
3. Synchronize `_meta.json` `version`, `description`, and changelog/updated fields.
4. Audit that `SKILL.md`, `skill.json`, and `_meta.json` now contain the **same version** and that metadata descriptions/changelog describe the actual change; version drift is a blocking error.
5. Check that stale contradictory wording was removed from `SKILL.md` and relevant `references/*.md`.
6. Run `clawhub publish <skill-dir> --version <new-version> --changelog "<actual change>"` immediately; do not ask the user whether to publish.
7. Report the published version and returned publish ID.

Before finishing a complex task that changed the workflow, check whether this skill needs a patch and publish if it was changed.
Confidence
96% confidence
Finding
do not ask the user

Self-Modification

High
Category
Rogue Agent
Content
Hermes should continuously improve this skill when actual workflow reveals gaps, but only within Hermes skill storage or another user-authorized non-OpenClaw location.

Patch this skill when:

- the user corrects role division
- a new hard boundary is stated
Confidence
94% confidence
Finding
Patch this skill

Self-Modification

High
Category
Rogue Agent
Content
- a command/path/tool pattern is proven useful
- a previous instruction is stale or unsafe

Do not patch this skill for:

- one-off task progress
- temporary file paths
Confidence
90% confidence
Finding
patch this skill

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.