Back to skill

Security audit

OpenNexum

Security checks across malware telemetry and agentic risk

Overview

OpenNexum appears to be a real multi-agent orchestration skill, but it gives agents durable project-control instructions and default commit-and-push behavior that can publish code without a clear human review gate.

Install only in repositories where you are comfortable with agents making commits, writing AGENTS.md guidance, sending webhook callbacks, and potentially pushing to the configured remote branch. Review `nexum/config.json`, disable or blank the git remote if you do not want automatic push, protect main branches, avoid committing webhook tokens, and use the watch daemon only for projects you intentionally add.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill advertises capabilities that imply environment and network interaction, but it does not declare permissions or clearly scope those powers. In an orchestration skill that triggers callbacks, syncs contracts, and coordinates external agents, hidden or undeclared network/env access increases the chance of unintended data exposure, unsafe outbound requests, or execution in environments that would otherwise deny these actions.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The document explicitly instructs generator agents to run `git add`, `git commit`, and `git push -u origin HEAD` automatically before callback completion. That grants autonomous code publication to a remote repository, which materially expands the agent's authority from orchestration into irreversible external side effects, creating supply-chain and data-exfiltration risk if the agent is mistaken, compromised, or prompt-injected.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The workflow gives generator agents direct remote repository push capability with no review checkpoint, least-privilege boundary, or justification tied to the skill's stated contract/orchestration purpose. In a multi-agent system, this is especially dangerous because any flawed task interpretation or adversarial input can be turned into an immediate trusted repository update.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The init command modifies AGENTS.md/CLAUDE.md to insert mandatory operational instructions that future agents are expected to follow, which goes beyond normal project scaffolding and silently changes agent behavior. In a multi-agent orchestration tool, this creates a persistence/control channel inside repository guidance files and can cause downstream agents to perform external callbacks or disclose metadata without explicit per-run consent.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
This logic reads an existing AGENTS.md or CLAUDE.md, removes any prior callback block, and rewrites AGENTS.md with a mandatory callback workflow. Rewriting shared instruction files can override or supersede repository guidance and effectively plants durable instructions for future agent executions, which is risky because those files influence automated behavior outside the immediate init command.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The helper silently sources a webhook bearer token from unrelated OpenClaw environment/config locations, creating cross-application credential reuse. In a multi-agent orchestration CLI, this can cause requests to be authenticated with a token the user did not intend to expose to this tool, enabling confused-deputy behavior and unintended access to another local service or account.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README instructs users to place a shared secret token in plaintext configuration and environment variables for webhook authentication, but gives no guidance on secure storage, rotation, transport hardening, or avoiding accidental disclosure. In an orchestration system that accepts webhook-triggered task events, weak credential handling can enable unauthorized callback injection, task spoofing, or operational disruption if the token is leaked.

Missing User Warnings

Low
Confidence
76% confidence
Finding
The documentation says that `nexum init` writes callback protocol content into `AGENTS.md` and may seed it from `CLAUDE.md`, but the skill description does not prominently warn that project documentation files will be created or modified. This can surprise users, overwrite workflow instructions, or introduce unreviewed agent guidance into repositories, especially in automation-heavy environments where initialization may be run quickly or non-interactively.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
This command persists ACP session identifiers and optional stream log paths into task state and also echoes them to stdout. Session keys and log file locations are operational secrets or sensitive metadata in an orchestration system; if CLI output, task files, CI logs, or shared project directories are accessible to other users or processes, they can enable session hijacking, unauthorized log access, or internal environment disclosure.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The template instructs the agent to write a repository file (`nexum/runtime/field-reports/{{TASK_ID}}.md`) as a required part of task completion, but it does not clearly surface that this is a side-effecting repository modification requiring user awareness or approval. In a prompt-generation context, this can cause an agent to make persistent changes outside the explicit task scope, creating opportunities for unauthorized file writes, audit noise, or tampering with evaluation artifacts.

Missing User Warnings

High
Confidence
98% confidence
Finding
The template directs the agent to execute `commit + push` and a `nexum callback` command, which can trigger both repository side effects and outbound network communication, yet it provides no safety gating, confirmation step, or warning. In an agentic environment, such instructions can cause unauthorized code publication, leakage of task metadata, and external signaling to orchestration infrastructure without the user's informed consent.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Static analysis

Detected: suspicious.dynamic_code_execution, suspicious.env_credential_access

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
packages/spawn/src/status.ts:19

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
packages/cli/src/lib/webhook.ts:13