OpenClaw Trends

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed public trend-search tool, but users should understand it makes external searches and includes a hardcoded YouTube API key.

Install only if you are comfortable with the skill contacting YouTube/Google, DuckDuckGo, and possibly GitHub to search public OpenClaw content. Set your own YOUTUBE_API_KEY if you use it regularly, and do not add the cron line unless you intentionally want daily background checks.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (7)

Tainted flow: 'req' from os.environ.get (line 67, credential/environment) → urllib.request.urlopen (network output)

Critical

Category: Data Flow
Content: full_url = f"{url}?{urllib.parse.urlencode(params)}" req = urllib.request.Request(full_url) with urllib.request.urlopen(req, timeout=10) as response: data = json.loads(response.read().decode()) for item in data.get("items", []):
Confidence: 94% confidence
Finding: with urllib.request.urlopen(req, timeout=10) as response:

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill advertises network, shell, and environment-dependent behavior without declaring permissions, which weakens user consent and runtime governance. In practice this enables external requests and local command execution paths that may expose data, use local credentials, or perform actions the user did not explicitly authorize.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 94% confidence
Finding: The documented behavior goes beyond simple content aggregation by including a hardcoded/default YouTube API key path, GitHub access via the local gh CLI, and a notify mode not reflected in the stated purpose. This mismatch is dangerous because users may invoke the skill expecting passive lookup while it actually consumes credentials, uses local authenticated tooling, and may trigger outbound notifications or broader actions.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: Embedding a YouTube API key 'for convenience' encourages insecure credential handling and can lead to accidental disclosure through source control, logs, or redistribution of the skill. A hardcoded key also creates a reusable secret that attackers or downstream users could abuse, causing quota exhaustion or unauthorized API usage billed to the owner.

Context-Inappropriate Capability

Medium

Confidence: 82% confidence
Finding: The cron-based scheduled execution and --notify pathway extend the skill from an on-demand lookup tool into a persistent background data-transmission mechanism. That increases risk because it can repeatedly send queries to external services and potentially emit notifications without clear, per-run user awareness or consent.

Missing User Warnings

Medium

Confidence: 85% confidence
Finding: Omitting a warning that scheduled checks send queries to external services reduces transparency around ongoing data egress. Users may unknowingly cause repeated outbound requests that reveal interests, project names, or usage patterns to third-party services over time.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: A hardcoded YouTube API key is embedded in the source and used automatically if no environment variable is set. Hardcoded secrets are dangerous because they are easily leaked, reused unintentionally across deployments, and may violate expectations about credential use and outbound data sharing.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal