Openclaw Sentinel

Security checks across malware telemetry and agentic risk

Overview

This is a local security scanner, but it includes under-documented commands that can disable, move, or automatically quarantine other installed skills.

Install only if you want a security tool that can also manage other skills. Start with read-only commands such as scan, inspect, status, and threats, pass an explicit --workspace path, import threat lists only from trusted sources, and avoid quarantine, reject, or protect unless you intentionally want the tool to disable or move skill directories and have backups.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill advertises significant operational capabilities in its documented commands and behavior, including filesystem access, environment-variable use, shell execution via python3, and threat-list imports, but does not declare corresponding permissions. This creates a trust and review gap: users and hosts may invoke the skill without realizing the breadth of access it needs, which is especially sensitive for a security scanner that inspects workspace contents and may process attacker-controlled files.

Intent-Code Divergence

High

Confidence: 95% confidence
Finding: The docstring says the scanning tier is alert-only, but the code implements active modification features such as quarantine, reject, SBOM/history persistence, and automated protection that renames or moves skill directories. This mismatch can mislead operators into running a tool they believe is passive when it can alter the workspace, increasing the risk of unintended disruption or abuse.

Context-Inappropriate Capability

High

Confidence: 94% confidence
Finding: The script contains commands that quarantine, unquarantine, reject, and automatically quarantine other skills by renaming or moving their directories. In an agent-skill context, code that modifies or removes peer skills materially expands trust boundaries and can be abused to disable legitimate components or cause operational denial of service.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The file presents itself primarily as a scanning/inspection suite, but the implementation also persists monitoring data, writes SBOMs/history, archives skills, and performs automated protection sweeps. This behavioral mismatch undermines informed consent and can cause users or orchestrators to grant broader permissions than they intended for a supposedly read-only scanner.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: Quarantine and rejection operations rename or move skill directories immediately, and the protect flow can auto-quarantine without an interactive confirmation step. Without confirmation or a safer approval mechanism, accidental invocation or scripted misuse can disable skills and disrupt the workspace.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal