OpenClaw Agent Creator

Security checks across malware telemetry and agentic risk

Overview

This skill is a transparent OpenClaw administration helper, but it can change a local agent setup and create scheduled Telegram/reporting tasks.

Install only if you are administering this intended OpenClaw setup. Review every config change, cron schedule, shell substitution, report command, and Telegram destination before restarting the gateway; keep backups; avoid untrusted input in cron prompt fields; and do not use report commands that could expose secrets unless you explicitly intend that output to be sent.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (5)

Vague Triggers

Medium

Confidence: 96% confidence
Finding: The skill description contains broad activation language such as 'create, add, or set up' and 'modifying existing agent configs, adding cron jobs to agents, or debugging agent routing issues,' which can match many ordinary admin requests. In an agentic system, this increases the chance the skill is invoked outside a narrowly intended context and then performs high-impact filesystem and configuration changes under ~/.openclaw/.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The phrase 'Don't ask permission. Just do it.' encourages autonomous action without an explicit boundary on what may be performed automatically. In an agent workspace template used across sessions, this can normalize acting on files and context sources without consent checks, increasing the risk of unintended actions or prompt-induced overreach.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The instruction to delete BOOTSTRAP.md after following it directs file deletion without any confirmation, retention policy, or verification that the file is safe to remove. Because this is a reusable template for agents, it can lead to accidental loss of initialization data or concealment of provenance and audit context.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The template instructs behavior for 'When Arch asks questions in the group' without defining a precise activation trigger, mention requirement, or routing boundary. In a multi-agent chat system, ambiguous invocation conditions can cause unintended agent responses, cross-agent prompt injection exposure, or accidental execution in conversations not meant for this agent.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The documentation explicitly states that `$(...)` shell substitution works in `payload.message`, which creates a command-execution primitive inside scheduled job configuration. In the context of an agent-creation skill that provisions cron jobs and prompt payloads, this is especially dangerous because operators may copy this pattern into production configs without realizing that untrusted or templated input could trigger arbitrary shell command execution on the host.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal