Back to skill

Security audit

Sageox

Security checks across malware telemetry and agentic risk

Overview

This SageOx skill is mostly coherent, but it deserves review because it can move repo, team, recording, and OpenClaw memory data into SageOx or Claude without strong per-action consent controls.

Install only if you are comfortable giving this skill access to SageOx, GitHub, Claude CLI, selected repositories, and selected OpenClaw memory files. Before using import, distill, summary, or catchup, confirm what data will be sent to SageOx or Claude, avoid importing sensitive recordings or private memory without authorization, and periodically review the SageOx state files under ~/.openclaw/memory.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill instructs the agent to execute multiple shell commands (`bash scripts/update-ox.sh`, `ox login`, `gh auth status`, `git config`, `claude`) and to modify local state, but it declares no permissions indicating shell/code execution. This creates a trust and consent gap: users may invoke what looks like a knowledge/query skill while it can run commands, change files, and potentially trigger login flows or installs on the host.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The public description emphasizes team knowledge operations, but the body also mandates downloading/installing a binary, modifying executables under `$HOME/.local/bin`, writing state under `~/.openclaw/memory`, and enforcing environment setup. That mismatch is dangerous because it can socially engineer users into authorizing a skill they believe is informational when it actually performs host modification and software installation.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The invocation text includes generic phrases like "catch up" and "show repos," which are common in ordinary conversation and can cause the skill to trigger outside clearly intended SageOx operations. In this skill, accidental triggering is more dangerous than usual because activation leads into prerequisite checks, shell commands, authentication validation, and possible install/update flows.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The repo-management triggers "add repo," "remove repo," and "show repos" are highly ambiguous and could match unrelated user intent. Because these commands operate on a central manifest in `~/.openclaw/memory` and influence subsequent repo selection and command execution context, accidental invocation can alter persistent configuration and redirect later operations.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guidance tells the agent to run `ox distill` and report results, but it does not warn the user that distillation creates memory files and may push those outputs remotely unless `--no-push` is used. In an interactive agent setting, that omission can cause unintended persistence or external transmission of synthesized repository/team data, which is especially risky because distillation aggregates observations, discussions, and GitHub facts into durable summaries.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs users to import remote video URLs for cloud processing, where the server transcribes and summarizes content, but it gives no warning that potentially sensitive data will leave the local environment and be sent to a remote service. In a team-knowledge tool, imported recordings may contain confidential business discussions, credentials, customer data, or internal strategy, so the omission materially increases the risk of accidental data disclosure.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The bridge workflow directs the agent to read `~/.openclaw/memory/*.json`, extract content, import it into SageOx, and persist audit state, but it does not warn that these local memory files may contain highly sensitive private context. Because this skill is specifically designed to bridge knowledge across systems, the context makes the issue more dangerous: it normalizes bulk access to local memory and onward transfer into shared team context, creating a clear path for unintended exfiltration and over-sharing.

Missing User Warnings

Low
Confidence
85% confidence
Finding
The export-tracking instructions store queries, team identifiers, output paths, and timestamps in a local memory file without informing the user. While lower severity than direct content export, this metadata can still reveal sensitive topics, internal project names, file locations, and user behavior, which may be useful for reconnaissance or privacy-invasive monitoring.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.