ClawHub

Agent Factory (Walter)

Security checks across malware telemetry and agentic risk

Overview

This skill does what it advertises, but it also makes broad persistent OpenClaw and Feishu changes that users should review before running.

Install only if you trust it to edit your OpenClaw configuration, persist a Feishu app secret, enable Feishu tools, and restart the OpenClaw gateway. Before running it, back up openclaw.json, use a least-privilege Feishu app, avoid copying existing MEMORY.md into the new agent unless you have reviewed it, and review any optional skill you ask it to install.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill copies MEMORY.md from the current active agent into the newly created agent workspace, which can transfer prior conversation memory, operational notes, or sensitive natural-language data into a different agent without explicit necessity. This creates a cross-agent data leakage path that exceeds the stated purpose of creating and configuring a new Feishu-backed agent.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill enables Feishu tool permissions globally even though those permissions are not required to create an agent or bind Feishu credentials. Expanding tool access beyond the requested action violates least privilege and can expose additional capabilities to the newly configured environment or other agents using the same channel settings.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Restarting the OpenClaw gateway is an operational action affecting the broader system, not just the new agent being created. Performing a service restart as part of a creation workflow can disrupt unrelated workloads and gives the skill unnecessary control over runtime availability.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The skill can install an arbitrary additional skill into the new agent workspace, which extends behavior beyond the advertised create-and-configure scope. Because the installed skill name is user-controlled and not allowlisted, this introduces a supply-chain and privilege-extension risk into a workflow handling secrets and system configuration.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The trigger phrases are broad enough that routine requests like creating a bot or agent could invoke a workflow that edits configuration, stores secrets, enables tools, and restarts services. In this context, accidental activation is more dangerous because the skill performs privileged system and credential-handling actions.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill processes app secrets, modifies global configuration, changes permissions, and may restart infrastructure, but the documentation does not prominently warn users about these sensitive operations. Missing disclosure and confirmation increase the chance of unsafe use, especially because the workflow persists credentials and makes system-wide changes.

Ssd 3

Medium
Confidence
95% confidence
Finding
Copying MEMORY.md into a new agent can propagate accumulated conversational or operational context from one agent to another, creating an unintended data-sharing channel. Because memory files are natural-language artifacts, they may contain secrets, personal data, or internal instructions that are hard to reliably sanitize after the fact.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal