instant-genius

Security checks across malware telemetry and agentic risk

Overview

This skill is not malware, but it makes broad, persistent changes to OpenClaw memory and behavior that users should review before enabling.

Install only if you intentionally want OpenClaw to keep persistent memory and act more proactively. Before running it, review the templates, back up AGENTS.md, SOUL.md, HEARTBEAT.md, MEMORY.md, and ~/self-improving, require a diff before appending anything, and periodically inspect or delete stored memories.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (10)

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The template expands the agent's behavior from local configuration and memory setup into ongoing proactive monitoring of external sources such as industry trends and ClawHub/GitHub. That broadens scope beyond the stated setup purpose, can trigger unrequested network-facing behavior, and increases the chance of privacy, autonomy, and supply-chain exposure.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The heartbeat content directs the agent to proactively monitor external ecosystems, including GitHub/ClawHub skills and broader AI/tool updates, which expands behavior beyond local memory/self-improvement setup into ongoing surveillance and unsolicited discovery. In an always-on heartbeat context, this can cause unbounded external access, scope creep, and unexpected outbound activity that the user did not explicitly authorize.

Vague Triggers

Medium

Confidence: 85% confidence
Finding: The README instructs users to invoke the skill with a very broad natural-language trigger, which can cause accidental activation when a user says something similar in ordinary conversation. In the context of a skill that performs setup and modifies agent behavior/configuration, unintended invocation is more dangerous because it may launch state-changing actions without deliberate confirmation.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The README describes automatic execution of a setup script and appending content into core configuration files, but it does not warn users that persistent behavioral and memory-related settings will be changed. This is risky because users may trigger installation without understanding the scope of modification, and in an agent-skill ecosystem, silent or underexplained config changes can permanently alter behavior and trust boundaries.

Vague Triggers

Medium

Confidence: 96% confidence
Finding: The manifest advertises very broad natural-language triggers such as 'make me smarter', 'smart setup', and '一键变聪明', which can cause the skill to be auto-invoked in situations where the user did not clearly consent to persistent behavioral and configuration changes. In this skill's context, that is especially risky because it claims to modify agent memory, proactivity, and core operating behavior, so accidental invocation can permanently alter how the agent behaves.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The markdown encourages running setup immediately and recommends automatic execution, but it does not clearly warn that this will change persistent configuration files and memory behavior. Because the skill is designed to install self-improving memory, proactive behavior, and heartbeat logic into workspace config paths, the lack of disclosure can lead users to authorize durable, hard-to-audit changes without informed consent.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The preference trigger examples are broad enough to capture ordinary conversational phrasing as durable user-profile data, which can lead to over-collection and incorrect persistence of transient statements. In this skill's context, that risk is amplified because the skill is explicitly designed to make the agent proactively learn and remember user behavior, increasing the chance of silent profiling without clear consent boundaries.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The template instructs the agent to persist user corrections, preferences, workflows, and project/domain lessons into files under ~/self-improving without explicit notice or consent. Persistent storage of user-related behavioral data can create privacy risks, unexpected retention, and cross-session leakage of sensitive information into future tasks.

Missing User Warnings

Low

Confidence: 90% confidence
Finding: The template directs the agent to automatically read prior persistent memory before non-trivial work, which means historical user data may influence current outputs without the user's awareness. This can cause hidden personalization, unintended use of stale or sensitive information, and reduced transparency about why the agent behaves a certain way.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The instructions explicitly tell the agent to delete outdated information from MEMORY.md, which is user-affecting data modification without an explicit confirmation step or safety guard. Because the skill is intended for one-click setup on new agents, this makes silent or overbroad data loss more likely if the agent misclassifies information as outdated.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal