Back to skill

Security audit

File Upload to Local Workspace

Security checks across malware telemetry and agentic risk

Overview

This skill is a real local file-upload tool, but it also runs a persistent network service with weakly scoped authentication and extra endpoints that can expose installed skills.

Install only if you are comfortable running a persistent HTTP service on port 15170. Bind it to localhost or firewall it, avoid placing long-lived gateway tokens or passwords in browser URLs, verify authentication works for your actual OpenClaw config, and be aware the service can list and export installed skills as well as manage uploaded files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (15)

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The report claims safe token handling, but the documented access pattern embeds the gateway token in the page URL query string. Query parameters are routinely exposed via browser history, bookmarks, screenshots, reverse proxies, referrer leaks, and server/access logs, so this is a real credential exposure risk even if the application itself does not explicitly print the token.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The file states token values are not logged while also instructing users to browse to a URL containing the token. In practice, URLs are commonly captured by web server access logs, browser sync/history, proxy logs, and monitoring tools, making this claim misleading and creating a straightforward path for token disclosure.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The document instructs users to pass a gateway password via the `?token=` URL parameter, effectively treating a password like a bearer token. URL query parameters are commonly exposed in browser history, logs, proxies, referrers, screenshots, and shared links, so this guidance increases the chance of credential disclosure and reuse beyond the intended password-login flow.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The installer reads the user's existing OpenClaw gateway token/password from the config file and reuses it as authentication for a separate upload service. This repurposes a sensitive credential across trust boundaries, increasing exposure and making compromise of the upload service potentially equivalent to compromise of the gateway secret.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The script installs, enables, and starts a persistent systemd service, turning the skill into a long-running network server rather than a one-shot local action. Persistence increases attack surface and can surprise users by leaving a service running across reboots without explicit opt-in.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
This upload server exposes additional capability to enumerate installed skills and reveal their filesystem paths and metadata, which exceeds a narrow file-upload role and broadens the attack surface. If token protection is absent or weak, an attacker can inventory installed components and use that information for follow-on targeting or unauthorized package retrieval.

Context-Inappropriate Capability

High
Confidence
93% confidence
Finding
The service can invoke a system zip subprocess to package arbitrary installed skills for download, turning an upload server into a code-export mechanism with subprocess execution. Although spawn is used with arguments rather than a shell, this still enables unauthorized exfiltration of installed skill contents and increases operational risk if exposed to untrusted users.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The code reads a gateway authentication token directly from a user home configuration file, giving the service access to credential material beyond what a generic upload server needs. This creates unnecessary secret exposure inside the process and couples file-serving functionality to privileged local configuration, increasing the blast radius if the server is compromised or logs/debug paths leak state.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script extracts gateway credentials and passes them into the service environment, where they may be exposed via service definitions, process inspection, logs, or accidental reuse by the application. Doing this without clear user notice or segregation of secrets creates unnecessary credential leakage risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The installer starts a network-accessible HTTP upload service and advertises its URL using the host IP, which implies remote reachability on the local network. If authentication is weak, absent, or credential reuse is in play, this can expose file-upload functionality to unintended parties and enable unauthorized file placement or follow-on attacks.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Accessing gateway token material from local configuration without clear user-facing disclosure is a security and transparency problem, especially in a skill context where users may not expect credential access. Hidden secret reads make it easier to smuggle privileged behavior into an otherwise ordinary utility service and hinder informed consent and review.

Ssd 3

High
Confidence
98% confidence
Finding
The guide instructs the assistant to help users retrieve a private authentication token from a local config file and place it directly into a URL. Tokens in URLs are easily exposed through browser history, screenshots, logs, referrers, and copied chat transcripts, so this normalizes unsafe credential handling and increases the chance of credential leakage.

Ssd 3

High
Confidence
99% confidence
Finding
These instructions explicitly tell users to run shell commands that reveal the gateway token and then use it in a request URL. That encourages direct extraction and handling of a sensitive credential in plaintext, raising the risk of accidental disclosure to shell history, shoulder surfing, copied terminal output, and downstream logs.

Ssd 3

High
Confidence
99% confidence
Finding
The FAQ normalizes printing the token-bearing configuration file and manually copying the token value for use in requests. This is dangerous because it promotes unsafe secret disclosure practices and makes compromise more likely if the token is exposed in terminal logs, support screenshots, chat messages, or browser artifacts.

Ssd 3

High
Confidence
99% confidence
Finding
The example dialogue operationalizes the unsafe pattern by teaching the assistant to tell users to grep a local config file for a token and paste it into an access URL. Because examples are likely to be copied verbatim, this materially increases the likelihood of credential leakage and insecure deployment behavior.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.generated_source_template_injection

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
src/upload-server.js:200

User-controlled placeholder is embedded directly into generated source code.

Critical
Code
suspicious.generated_source_template_injection
Location
docs/AUTH-COMPATIBILITY.md:143

User-controlled placeholder is embedded directly into generated source code.

Critical
Code
suspicious.generated_source_template_injection
Location
SECURITY-AUDIT.md:94