Back to skill

Security audit

AI Agent Onboarding Wizard

Security checks across malware telemetry and agentic risk

Overview

This is a local onboarding helper that scans OpenClaw setup details and can write reports or optional install scripts, with some wording and metadata users should review.

Install only if you are comfortable with a local scan of your OpenClaw skills and local report/state files. Review any generated setup.sh before running it, because it can install multiple skills. Treat the package name, version, and license metadata inconsistencies as something to verify before relying on this publisher's claims.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill advertises environment scanning and exact install commands but declares no permissions despite requiring env, file read/write, and shell capabilities. This creates a transparency and consent failure: users and policy engines cannot accurately assess what the skill may access or execute before invocation.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The declared purpose is limited to onboarding, scanning, recommendations, and install commands, but the detected behavior includes persistent state, filesystem inspection, script generation, and writing onboarding bundles. This mismatch is dangerous because it can conceal materially more invasive actions than a user would reasonably expect from the description, increasing the risk of unauthorized persistence or execution artifacts.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill goes beyond passive onboarding guidance by generating executable setup scripts containing install commands for recommended skills. In a security-sensitive agent ecosystem, producing runnable artifacts materially increases the chance that users will execute unreviewed third-party installs based on the wizard's recommendations, turning a recommendation engine into a software-deployment mechanism.

Description-Behavior Mismatch

Medium
Confidence
83% confidence
Finding
The weekly checkup feature introduces persistent state storage and ongoing environment monitoring that exceed the advertised '5-minute onboarding' purpose. While not directly exploitable on its own, this broadens the skill's data collection and persistence footprint, which increases privacy and trust risk if users did not expect continued tracking behavior.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Team-wide export creates executable onboarding bundles and README guidance that can be redistributed to other users, amplifying the blast radius of any bad recommendation or compromised skill entry. For a personal onboarding wizard, this capability is unjustified and increases the risk of supply-chain style propagation through generated `setup.sh` artifacts.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The activation phrases are very broad and resemble normal conversation, which can cause accidental invocation during unrelated chat. In an onboarding skill that inspects the environment and recommends install commands, unintended activation could expose local system details or steer users toward actions they did not explicitly request.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The trigger phrases are very broad ('Run the onboarding wizard', 'Set me up', 'What skills should I install?'), which increases the chance of accidental invocation during ordinary conversation. Because the skill can scan the environment and potentially execute or recommend setup actions, unintended activation could expose system details or initiate setup flows without sufficiently deliberate user intent.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill states it will scan OS, shell, installed tools, and system architecture, but it does not clearly warn users that system information will be collected or explain the scope of that access. Even if limited to compatibility checks, this can reveal sensitive environment details and normalizes data access without informed consent.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The description advertises broad 'automated onboarding', 'environment scan', 'skill detection', and recurring 'weekly checkups' without defining activation boundaries, consent, or scope. In an agent skill, vague scanning language can enable over-collection of local context or unexpected autonomous behavior because users and orchestrators are not told what will be inspected or when it runs.

Natural-Language Policy Violations

Low
Confidence
76% confidence
Finding
The description states 'Automated onboarding for OpenClaw' and presents a personalized starter stack and setup scripts as part of the workflow, which can steer users into a specific product ecosystem without documenting choice, neutrality, or rationale. While not inherently malicious, this increases the chance of opaque tool installation or biased recommendations that users may accept without informed consent.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.