Security audit

Data Sentinel Pro

Security checks across malware telemetry and agentic risk

Overview

This skill performs disclosed webpage and price monitoring with optional Telegram alerts, but users should be careful about monitored URLs and alert credentials.

Install only if you want ongoing webpage or price monitoring. Use dedicated low-privilege Telegram credentials, avoid monitoring confidential or internal URLs unless you accept that alert data may be sent to Telegram, review any cron entries before enabling them, and periodically remove stored monitor data you no longer need.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill documentation describes capabilities that read local configuration files, write monitor state to local storage, and perform network actions such as fetching pages and sending Telegram/email alerts, yet no permissions are declared. This creates a trust and enforcement gap: users or the host platform may not realize the skill can access files and external services, increasing the chance of over-privileged or silently risky execution.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The script reads a global local configuration file and uses any stored Telegram bot credentials to send outbound notifications containing monitored URL and change details. While this appears intended for legitimate alerting, it creates a cross-scope capability not clearly bounded by the monitoring interface and can expose sensitive monitored targets or content-derived information to an external service without explicit per-use consent.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The script reads a broader local application config file from ~/.openclaw/openclaw.json to obtain Telegram credentials, even though the skill description focuses on webpage monitoring. This expands the skill's access to local sensitive data and couples monitoring behavior with credential use that is not clearly disclosed, increasing the risk of unintended secret exposure or misuse.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The skill sends monitoring results to Telegram, which is an external third-party service not disclosed in the manifest description. Even if intended as a feature, outbound transmission can leak monitored URLs, timestamps, and change details to an external platform without clear user awareness.

Vague Triggers

Medium

Confidence: 79% confidence
Finding: The invocation examples use broad natural-language phrases such as '监控这个页面', '盯住这个商品', and price-change requests that resemble normal conversation. In an assistant environment, such generic phrasing can cause accidental activation, which is more dangerous here because the skill can initiate persistent monitoring, local state writes, and outbound notifications against user-supplied URLs.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The code transmits notification text to Telegram, including the monitored URL and detected changes, without any user-facing warning at the send site. This can leak sensitive monitoring targets, business intelligence, or page-derived data to a third-party service, which is especially relevant for a competitive-monitoring skill.

Missing User Warnings

Low

Confidence: 83% confidence
Finding: The script silently reads a user configuration file that may contain notification credentials and uses that data operationally without clear disclosure in the code path. Even if no exfiltration of the credentials occurs directly, undisclosed access to sensitive local config increases privacy and trust risk and can surprise users about what local secrets the skill consumes.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The code reads local configuration that may contain notification credentials without any visible user-facing disclosure at runtime. This creates a transparency and secret-handling issue because users may not realize the skill is accessing stored tokens and chat identifiers from a broader config source.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.