Openclaw Bastion

Security checks across malware telemetry and agentic risk

Overview

This is mostly a local prompt-injection defense tool, but it ships under-documented commands that can modify, move, and persistently mark workspace and agent instruction files.

Install only if you are comfortable treating this as an active workspace-mutating security tool, not just a scanner. Start with `scan`, `check`, `boundaries`, `allowlist`, and `status`; avoid `protect`, `quarantine`, `unquarantine`, `sanitize`, `canary`, and `enforce` unless you have backups and have reviewed exactly which files and hooks they will create or modify.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (7)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill advertises only a markdown interface but clearly invokes a local Python script that can read environment variables, traverse the workspace, write a policy file, and potentially inspect content broadly. This mismatch between declared permissions and actual capabilities is a real security issue because it prevents accurate user consent and sandboxing decisions, even though the document claims no external dependencies or network calls.

Intent-Code Divergence

Medium

Confidence: 98% confidence
Finding: The generated hook configuration invokes a non-existent `check-command` subcommand, so users may believe Bash commands are being validated when they are not. This creates a dangerous false sense of protection and can leave command execution entirely unguarded despite advertised runtime enforcement.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The tool is presented primarily as a scanner/defense suite, but it also contains commands that modify, move, and inject content into workspace files. That mismatch is security-relevant because operators may grant trust or automation privileges assuming read-only scanning behavior, while the skill actually has write-side effects across sensitive files.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: Canary deployment writes tracking tokens directly into trusted instruction files and memory files, which changes agent-consumed content rather than merely analyzing it. In this context, modifying trusted prompt sources expands the tool's authority and can interfere with integrity, auditing, or downstream model behavior.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The quarantine path moves files out of their original location without an interactive confirmation step. In an agent skill context, relocating workspace files can disrupt builds, hide data from users, or be abused to alter project state under the guise of security enforcement.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: Canary deployment modifies files in place by appending hidden comments, but the action is framed as monitoring rather than file mutation. In trusted instruction files, even small hidden changes can affect integrity guarantees and create confusion about what content is original versus tool-injected.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The `protect` workflow automatically sanitizes files, blocks content, and quarantines critical files as part of a startup-oriented sweep. In this context, automatic mutation of workspace and instruction files without confirmation is high risk because a false positive can alter trusted prompts, remove data, or break project state at session start.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal