Back to skill

Security audit

IceCube Auto Content

Security checks across malware telemetry and agentic risk

Overview

This skill generates local content drafts and reports, with some broad local status checks but no evidence of hidden exfiltration, destructive behavior, credential capture, or automatic external posting.

Install only if you are comfortable with a skill that writes marketing/content drafts and local reports into OpenClaw memory and may read local workspace status for those reports. Review all generated content before posting, and do not give it social-platform credentials or automate replies/publishing unless you add explicit approval, logging, and deletion/retention controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The script reads local workspace state, task data, configuration, and gateway status even though the stated skill purpose is content generation. This expands access to internal operational information and can expose sensitive metadata such as installed skills, active tasks, model configuration, and system status in generated output or logs without a clear need-to-know basis.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The script enumerates general OpenClaw platform state such as gateway availability, installed skills, task counts, and memory usage, which goes beyond the stated purpose of an auto content-generation skill. Even though it is only a read-only health check, it increases visibility into broader workspace operations and can expose internal environment details that are unnecessary for the skill’s function.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The script reads operational data from shared workspace paths, including installed skills, task workflow state, and memory storage size, none of which are clearly needed to generate content. In a multi-skill or multi-tenant workspace, this broad inspection can leak sensitive metadata about other activities and create unnecessary cross-scope access.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The skill describes automated script execution on a schedule and ongoing monitoring/reply workflows without stating what data is accessed, what side effects occur, or whether publishing/reply actions are gated by user consent. In an agent environment, silent automation can lead to unauthorized posting, unintended data processing, or persistent changes to the workspace or external accounts.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill specifies writing analytics and conversion data to a persistent memory path, including engagement metrics and revenue-related tracking, without any notice about storage, retention, sensitivity, or user approval. Persistent analytics files can expose business data, behavioral history, or personal information if accessed by other skills, users, or processes.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.