ClawHub

Skill Cortex

Security checks across malware telemetry and agentic risk

Overview

Skill Cortex is a coherent skill manager, but it needs review because it can install and run other skills and its reflex path may proceed without affirmative approval.

Install only if you are comfortable with a skill that manages other skills on demand. Treat GitHub-sourced candidates as unreviewed, require affirmative approval for installs and execution plans, and be careful with reflex mode for any skill that reads credentials, account data, private files, or network APIs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Missing User Warnings

Low
Confidence
88% confidence
Finding
The README states that runtime data is stored persistently at ~/.openclaw/skill-cortex/cortex.json, but it does not give a clear user-facing warning about retention scope, contents, lifetime, or privacy implications. Because this skill learns from task history and stores routing signals, users may unknowingly retain sensitive behavioral metadata on disk, creating privacy and local disclosure risk.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The activation rule is very broad: the skill triggers whenever installed skills cannot complete a task, with no hard gating around sensitivity, trust level, or user intent. In this context, that broad trigger is risky because the skill can autonomously move into external skill discovery and installation flows, increasing the chance of unnecessary exposure to untrusted third-party content.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The semantic matching logic explicitly tells the agent to use its own judgment with no exact match required, which makes candidate selection highly subjective and hard to audit. In a skill whose purpose is to install and execute other skills from ClawHub or GitHub, this can cause the agent to misclassify intent and select overly powerful or unsafe skills for the user's task.

Session Persistence

Medium
Category
Rogue Agent
Content
- **Entity filtering**: signal words are stripped of personal data before storage
- **Synaptic pruning**: stale routes and low-confidence lessons are automatically cleaned up
- **Failure recovery**: auto-retry, candidate switching, and structured error reporting
- **Safety-first**: write operations never enter reflex; all installs require user consent

## Installation
Confidence
82% confidence
Finding
write operations never enter reflex; all installs require user consent ## Installation ```bash # Copy into your OpenClaw skills directory cp -r skill-cortex ~/.openclaw/skills/skill-cortex # Or ins

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal