Agent Spawner

Security checks across malware telemetry and agentic risk

Overview

This skill can create a new OpenClaw agent, but it silently gathers and copies broad credentials into a persistent LAN-accessible agent without enough user control.

Only install this if you intentionally want to duplicate the current agent and its access. Review each credential, plugin, and skill before copying, avoid broad TOKEN/API_KEY environment harvesting, prefer local-only binding unless LAN exposure is needed, and be ready to stop the new agent and revoke copied credentials.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (9)

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The skill explicitly instructs reading API keys and tokens from the current agent's config and environment, then reusing them in a newly spawned agent. That creates unauthorized credential replication and expands the trust boundary from one agent instance to another without explicit, informed consent or least-privilege scoping.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The hand-off step instructs the agent to read the new gateway token from config and print it to the operator. Displaying authentication tokens increases the chance of accidental disclosure through chat logs, terminal history, screenshots, or downstream agents and is not necessary if access can be established through safer means.

Missing User Warnings

High

Confidence: 93% confidence
Finding: The description markets the skill as simple conversational deployment while omitting that it will inspect existing config, copy credentials, migrate plugins, and replicate skills. This under-describes sensitive behavior and undermines informed consent, making dangerous actions more likely to be triggered unexpectedly.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The skill says to read config files, .env contents, and environment variables 'silent[ly]' before asking the user only deployment questions. Silent secret discovery removes user awareness and consent at the exact point sensitive data is accessed, which is especially risky in an agent skill that may be triggered conversationally.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The deployment instructions expose the service on the LAN and pass recovered credentials into onboarding commands, but they do not clearly warn the user about increased network exposure or credential handling risks. In a provisioning context, omissions like this can lead users to deploy an unnecessarily reachable service with copied secrets they did not realize were being injected.

Ssd 3

High

Confidence: 99% confidence
Finding: These instructions direct the agent to enumerate and extract API keys, tokens, tool secrets, plugins, and skills from the current environment and configuration, then carry them into a separate agent instance. That is direct sensitive data handling and cross-instance propagation beyond the minimum needed for conversational provisioning, substantially enlarging the blast radius of any compromise.

Ssd 3

High

Confidence: 96% confidence
Finding: The confirmation plan tells the agent to show carried-over secret-bearing items such as provider/API key presence and other authenticated integrations in user-facing output. Even when values are not fully printed, enumerating which secrets and integrations exist can disclose sensitive security posture and encourage over-sharing in logs or transcripts.

Ssd 3

High

Confidence: 98% confidence
Finding: The deployment commands automatically inject recovered API credentials into the onboarding flow for the new agent. This operationalizes secret exfiltration from one trust domain into another and may leak credentials via shell history, process listings, logs, or misconfigured remote execution paths.

Ssd 3

High

Confidence: 97% confidence
Finding: The hand-off directs reading an authentication token from config and presenting it to the user. Revealing live access tokens in chat or terminal output is a straightforward credential disclosure issue that can enable unauthorized access if the output is observed, logged, or retained.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal