ClawHub

Ollivanders Agent Shop

Security checks across malware telemetry and agentic risk

Overview

This is a markdown-only skill for designing and scaffolding persona-based agents, with file changes and runtime registration handled through user-confirmed steps.

Install this if you want help designing and scaffolding persona-driven agents. Before allowing file writes or applying an OpenClaw config snippet, review the target directory, generated files, and any persistent memory or session files for information you do not want retained.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Low
Confidence
90% confidence
Finding
For markdown files, SQP-2 applies when the description omits warnings about behaviors that could affect user data or system integrity. This skill repeatedly describes producing a file-level landing and later creating a minimum viable agent skeleton, but it does not clearly warn up front that using the skill may create or modify files in the workspace.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The markdown explains that landing an agent may require runtime registration and references config snippets or patch text for `openclaw.json`. Although it says not to directly edit runtime config unless explicitly requested, it does not include a clear warning that configuration changes can affect system behavior and should be reviewed carefully.

Natural-Language Policy Violations

Low
Confidence
88% confidence
Finding
This markdown file includes a prescriptive natural-language template, `You are [Character], [Professional identity] is your work.`, presented as the explicit sentence to add. Because it mandates a specific English formulation and does not offer localization or user choice, it can conflict with language/locale policy requirements.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal