Security audit

Vector-Robot

Security checks across malware telemetry and agentic risk

Overview

This robot-control skill does what it says, but it includes unsafe helper-script input handling plus an unauthenticated local proxy and optional auto-start service.

Install only after reviewing the helper scripts. Patch vector-say.sh before passing untrusted text, avoid the LaunchAgent unless you truly want an always-on proxy, bind the proxy to localhost with authentication, and treat request.json, response.json, logs, and camera snapshots as private data. Supervise robot movement because behavior control disables cliff sensors.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (20)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill documents use of shell commands, network access, and environment variables but declares no permissions, which undermines least-privilege controls and makes the true execution surface opaque to users and reviewers. In this context, the undeclared capabilities are especially relevant because the skill can control physical hardware, access a camera stream, and run local services.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 96% confidence
Finding: The skill claims to be for robot control, but it also introduces a localhost proxy service, persistent auto-start behavior, and disk-based request/response handling that materially expand its scope. That mismatch is dangerous because users may approve a robotics skill without realizing it also installs background infrastructure that can persist, capture prompts, and expose a local API surface.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The documented `/api/get_config` and `/api/get_logs` endpoints expose server configuration and recent voice-command logs, which are outside the core robot-control scope and may reveal sensitive local setup details or private user interactions. In a skill for controlling a physical robot, documenting these endpoints expands the accessible surface into configuration and surveillance-adjacent data, increasing privacy and information-disclosure risk.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The API reference explicitly notes that cliff sensors are disabled during behavior control, but provides no mandatory safety constraints, operator warning, or movement limitations. Because this skill controls a physical robot, disabling fall-prevention safeguards can directly lead to device damage or unsafe real-world movement, especially if wheel commands are issued near stairs, edges, or elevated surfaces.

Missing User Warnings

Low

Confidence: 87% confidence
Finding: Documenting access to recent voice command logs without any privacy notice or access restriction guidance creates a risk of exposing sensitive spoken content, user behavior patterns, or household context. In this skill, which already interfaces with a camera-enabled home robot, log access is more sensitive because it can reveal private interactions beyond what is necessary for robot actuation.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The script writes a LaunchAgent plist into the user's LaunchAgents directory and immediately loads it, causing the proxy to persist across logins without any explicit warning, prompt, or confirmation. Even if intended for convenience, silently establishing persistence is security-sensitive behavior because it changes the host's startup state and can surprise users or be abused if the script or referenced proxy is later modified.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: Incoming chat requests are written verbatim to request.json, including the extracted user question and the raw request payload. This creates local persistence of potentially sensitive conversations without any access controls, retention policy, or user-facing disclosure, increasing the risk of unintended disclosure to other local users, processes, backups, or forensic artifacts.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The server reads and deletes responses from a shared local response file and logs the assistant response to console. This exposes generated content through terminal logs and transient file-based IPC without authentication or isolation, which is especially sensitive in a robot skill because spoken or camera-adjacent interactions may contain private household information.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The script issues network requests that take behavior control of a physical robot and make it speak without any built-in disclosure, confirmation, or safety gating. In the context of a robot-control skill, this can surprise nearby people, trigger unintended physical/device behavior, and cause privacy or trust concerns even if the author likely intended normal device operation.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The script captures a frame from a physical robot's camera and saves it to disk automatically, with no user-facing notice, confirmation, or consent check. In the context of a robot-control skill, this creates a real privacy risk because the camera can observe a user's environment, and the saved image persists on local storage where other processes or users may access it.

Session Persistence

Medium

Category: Rogue Agent
Content: ## LaunchAgent (Auto-start on macOS) Install to `~/Library/LaunchAgents/com.openclaw.vector-proxy.plist` for auto-start. See `scripts/install-launchagent.sh`. ## API Reference
Confidence: 88% confidence
Finding: plist

Session Persistence

Medium

Category: Rogue Agent
Content: SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)" NODE_PATH=$(which node) PLIST_PATH="$HOME/Library/LaunchAgents/com.openclaw.vector-proxy.plist" cat > "$PLIST_PATH" << EOF <?xml version="1.0" encoding="UTF-8"?>
Confidence: 84% confidence
Finding: PLIST

Session Persistence

Medium

Category: Rogue Agent
Content: SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)" NODE_PATH=$(which node) PLIST_PATH="$HOME/Library/LaunchAgents/com.openclaw.vector-proxy.plist" cat > "$PLIST_PATH" << EOF <?xml version="1.0" encoding="UTF-8"?>
Confidence: 84% confidence
Finding: plist

Session Persistence

Medium

Category: Rogue Agent
Content: NODE_PATH=$(which node) PLIST_PATH="$HOME/Library/LaunchAgents/com.openclaw.vector-proxy.plist" cat > "$PLIST_PATH" << EOF <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0">
Confidence: 90% confidence
Finding: PLIST

Session Persistence

Medium

Category: Rogue Agent
Content: cat > "$PLIST_PATH" << EOF <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Label</key>
Confidence: 83% confidence
Finding: plist

Session Persistence

Medium

Category: Rogue Agent
Content: cat > "$PLIST_PATH" << EOF <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Label</key>
Confidence: 83% confidence
Finding: PLIST

Session Persistence

Medium

Category: Rogue Agent
Content: cat > "$PLIST_PATH" << EOF <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Label</key> <string>com.openclaw.vector-proxy</string>
Confidence: 82% confidence
Finding: plist

Session Persistence

Medium

Category: Rogue Agent
Content: <key>StandardErrorPath</key> <string>$SCRIPT_DIR/proxy-error.log</string> </dict> </plist> EOF launchctl load "$PLIST_PATH"
Confidence: 85% confidence
Finding: plist

Session Persistence

Medium

Category: Rogue Agent
Content: </plist> EOF launchctl load "$PLIST_PATH" echo "LaunchAgent installed and started" echo "Proxy will auto-start on boot"
Confidence: 88% confidence
Finding: launchctl load

Session Persistence

Medium

Category: Rogue Agent
Content: </plist> EOF launchctl load "$PLIST_PATH" echo "LaunchAgent installed and started" echo "Proxy will auto-start on boot"
Confidence: 88% confidence
Finding: PLIST

VirusTotal

55/55 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.