Provider Sync

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it says: sync provider model lists into OpenClaw configuration, with disclosed dry-run, apply, backup, alias-sync, and optional probing behavior.

Install only if you want a tool that can modify OpenClaw provider configuration. Run dry-run first, review added/removed models and alias pruning, avoid provider=all or mode=apply unless intentional, use API keys only in trusted private contexts, and avoid custom mappings with --allow-outside-provider unless you fully understand every config path being written.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (6)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill can read and write configuration files, make network requests, and invoke shell-level actions, yet the manifest does not declare any permissions. That weakens review and policy enforcement because operators and automated guards cannot accurately assess or constrain what the skill may do before invocation. In this context, the skill modifies OpenClaw configuration and may trigger restart-related workflows, so undeclared capabilities materially increase risk.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 93% confidence
Finding: The documented purpose suggests a bounded model-list sync, but the actual behavior extends to probing live provider endpoints, mutating provider.api, pruning alias entries, and caching upstream responses locally. This mismatch is dangerous because users may authorize a seemingly limited sync operation without realizing it can alter broader routing behavior, remove configuration entries, and persist remote data on disk. The dry-run/apply language helps somewhat, but hidden side effects still make mistaken approval more likely.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The skill's stated purpose is syncing provider model lists, but it also mutates agents.defaults.models by adding and pruning aliases. In an agent environment, that expands the blast radius from provider metadata updates to behavior-affecting routing changes, which can silently alter which models agents use.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: API probing issues live POST requests to /responses or /chat/completions, which goes beyond passive model-list synchronization. Even with a tiny payload, this can trigger billable inference, hit production endpoints with real credentials, and cause side effects in monitored or policy-restricted environments.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The --allow-outside-provider flag permits mappings to write anywhere in the OpenClaw config, despite the skill being framed as provider sync. Because mapping files are external input, this can be used to modify unrelated security-sensitive settings, creating a configuration integrity risk far beyond the advertised scope.

Vague Triggers

Medium

Confidence: 85% confidence
Finding: The trigger examples are broad enough to activate the skill on loosely related natural-language requests without clear guardrails such as requiring explicit provider identifiers, endpoint ownership, dry-run defaulting, or confirmation boundaries. In a skill that can query external endpoints and potentially write configuration, this increases the risk of over-broad invocation and unintended syncing or network access.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal