Srs

Security checks across malware telemetry and agentic risk

Overview

The skill is not clearly malicious, but it reads broad local workspaces and creates persistent role/state files beyond what its documentation clearly explains.

Install only if you are comfortable with it scanning local research/OpenClaw workspace directories and writing persistent state. Use it in a sandbox or dedicated non-sensitive workspace, and review or edit the default paths before running scan, review, daily, evaluate, improve, or parallel execution commands.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (6)

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The code recursively scans broad directories in the user's home/workspace and reads arbitrary .md/.yaml/.json files unrelated to its own state. For an unknown-purpose skill, this creates unjustified access to potentially sensitive local data and expands the trust boundary well beyond governance metadata; even without exfiltration in this file, indiscriminate collection of file contents and paths is a real privacy and security risk.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The skill can autonomously create role definition files and update its capability registry based on its own evaluation, introducing self-modifying persistent behavior. In an agent/skill context this is risky because unreviewed local state changes can silently expand future behavior, create unsafe trust in discovered content, and make the system harder to audit or control.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The role-matching table uses very broad keywords such as 'research', 'analysis', 'document', and 'report', which are common in ordinary user requests and can cause the skill to activate or route tasks too aggressively. In a security-themed skill, this increases the chance that benign requests are misclassified as security research work, leading to unintended invocation, over-collection, or execution of higher-risk workflows without sufficient user intent verification.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The role manifest enables broad autonomous actions such as scan, discover, and trend without any stated scope limits, approval requirements, target restrictions, or exclusions. In an agent system, this can lead to unintended enumeration of data, services, or environments and may expand the agent's operational reach beyond what users expect.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The role declares automatic tasks ("organize", "document", "report") without any documented trigger conditions, scope limits, approval gates, or target restrictions. In an agent framework, broad auto-execution can cause unintended processing, reporting, or persistence of sensitive data, especially because a knowledge manager role is naturally positioned to touch many documents and aggregate information.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The manifest enables very broad automatic tasks ('monitor', 'alert', 'respond') without any visible scoping, approval gates, or trigger constraints. In a security-operations role, especially the generic 'respond' action could be invoked in unintended contexts and lead an agent to take autonomous actions beyond simple observation or notification.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal