Back to skill

Security audit

vispatrol-alarm-query

Security checks across malware telemetry and agentic risk

Overview

This is mostly a disclosed VisPatrol alarm and snapshot query skill, but one snapshot download path can send the local session token outside the documented VisPatrol endpoint boundary.

Install only on a trusted Windows host that already runs VisPatrol, and only if users understand it reads %TEMP%/vpup.json, decrypts a local session token, queries alarms, and saves snapshot images locally. Before broad deployment, the publisher should restrict snapshot downloads to the configured VisPatrol media host or avoid sending the bearer token to absolute snapshot URLs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill exercises sensitive capabilities including local file reads of %TEMP%/vpup.json, token handling via environment/config, network access, shell/process invocation, and local file writes, yet declares no explicit permissions boundary beyond prose in the document. Relying on descriptive text instead of enforceable permissions increases the chance that the skill is loaded or executed with broader access than reviewers or users expect.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The description frames the skill as a read-only alarm query after user approval, but the documented behavior goes further: decrypting and using a session token, invoking cmd.exe/powershell.exe/getmac, downloading snapshots to disk, and potentially returning image/base64 content. This mismatch is dangerous because it hides credential use, process execution, and data exfiltration surfaces behind a much narrower stated purpose, making informed consent and review less reliable.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The skill description says it is limited to reading `%TEMP%/vpup.json` for read-only alarm and snapshot queries, but the implementation also downloads snapshot content from remote services and writes image files locally. This violates the declared trust boundary and can unexpectedly persist sensitive surveillance images on disk, increasing privacy and data-handling risk.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The code collects a stable host identifier (MAC address), hashes it, and uses it to decrypt the token from `vpup.json`. Even if this mirrors an existing product design, it grants the skill host-fingerprinting capability beyond straightforward alarm querying and handles sensitive auth material derived from device identity.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
To locate Windows TEMP under WSL, the skill executes host commands (`cmd.exe`, `powershell.exe`) and probes environment details. In the stated context of a limited query skill, this exceeds the declared minimum capability and broadens interaction with the host OS in a way users may not expect.

Scope Creep

High
Confidence
99% confidence
Finding
The skill claims only to read `%TEMP%/vpup.json`, but `_build_snapshot_local_path` creates directories and writes files under `~/.openclaw/workspace/tmp_files/` or a caller-provided path. This is a direct mismatch between declared and actual file-system access, and it can leave sensitive snapshot artifacts behind outside the approved location.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill processes a decrypted bearer token, transmits it to local services, and may later download and persist snapshot data, yet there is no clear user-facing warning or consent mechanism in the code path itself. In a surveillance context, opaque handling of auth tokens and image data increases privacy and misuse risk.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.