Back to skill

Security audit

vispatrol-alram-query

Security checks across malware telemetry and agentic risk

Overview

The skill is purpose-aligned for VisPatrol alarm reports, but it needs review because it uses a local session token and saves surveillance snapshots while relying on instructions, not code, for consent enforcement.

Install only on a trusted Windows VisPatrol host where %TEMP%/vpup.json is expected. Confirm the OpenClaw approval config is set for the actual installed skill entry, approve each run before it reads the local session token, and delete saved snapshot images when they are no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill describes capabilities to read a local credential-bearing file (%TEMP%/vpup.json), use an environment/session token, perform network requests, invoke a Python script, and write snapshot files, but it does not declare explicit permissions in a machine-enforceable way beyond descriptive metadata. This creates a real security gap: the runtime may expose sensitive file, shell, network, and file-write behavior without a clear permission contract, increasing the chance of unintended credential access or broader misuse if the script or surrounding agent behavior is modified.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The skill description explicitly says execution must only occur after obtaining the user's clear consent to read local `vpup.json`, but the constructor automatically loads that file and decrypts its token on instantiation. This violates the declared trust boundary and can expose sensitive local configuration and credentials before the user has approved access.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill description frames the capability as querying alarms and snapshots, but this code also downloads snapshot content and persists it to local disk. That creates additional confidentiality and storage side effects beyond a simple query, especially because snapshots may contain sensitive surveillance imagery.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code collects a device-unique MAC address and may invoke system commands to retrieve it in order to derive a decryption key. This is more invasive than a user would reasonably expect from an alarm-query skill and exposes hardware identity information that can be used for tracking or credential derivation.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script reads local configuration, accesses a device-unique MAC address, and decrypts a token without any user-facing warning at the point of use. In a skill whose metadata already requires explicit consent before reading `vpup.json`, silently performing these actions materially increases privacy and credential-exposure risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code fetches snapshot data over HTTP and writes image files to disk without an explicit warning that network transmission and local file creation will occur. Because the images are surveillance snapshots, silent download and persistence can leak highly sensitive visual data and leave forensic traces on the host.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.