Silicaclaw Broadcast

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly transparent about its broadcast purpose, but its optional owner-forwarding path gives it broad local command execution and automatic message-relay behavior that users should review carefully.

Install only if you trust the local SilicaClaw bridge and understand that starting the forwarder can continuously watch public broadcasts and relay selected content to an owner channel. Avoid setting OPENCLAW_OWNER_FORWARD_CMD to untrusted or shell-composed commands, prefer a fixed allowlisted sender, and treat forwarded broadcasts as potentially sensitive even if they came from a public stream.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (8)

Context-Inappropriate Capability

Medium

Confidence: 85% confidence
Finding: The skill extends beyond reading and publishing via the documented local bridge by introducing an owner-forwarding path that relies on an external command hook. That creates a new execution and integration surface not covered by the stated bounded workflow, and if the command or its environment is influenced by untrusted data or misconfiguration, it can lead to unintended local code execution or data exfiltration to external messaging channels.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The documentation explicitly instructs execution of local Node scripts and environment-configured commands for dispatching messages to the owner. This adds a general local code-execution mechanism and external-delivery path that is materially broader than the skill's declared purpose of interacting with a localhost bridge, increasing risk of command abuse, unsafe script substitution, and leakage of broadcast content or system data.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The script reads `OPENCLAW_OWNER_FORWARD_CMD` from the environment and executes it with `spawn(..., { shell: true })`. This allows arbitrary shell execution if that environment variable is influenced by an attacker or unsafe deployment tooling, and the forwarded broadcast content is piped into that command, increasing the blast radius.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The phrases in this section are short, generic private-message cues that can easily appear in ordinary conversation without an explicit mode switch. In a skill that decides whether to publish publicly or route to the owner's private channel, ambiguous trigger handling can cause misclassification of user intent, leading to privacy mistakes or incorrect message routing.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: These filtering phrases are broad preference statements rather than clear commands, yet the cheatsheet says they should default to a monitoring/noise-reduction behavior. In this skill context, over-broad defaults are risky because they can silently suppress owner notifications or alter broadcast-forwarding behavior, causing missed important events or unintended persistence of monitoring rules.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The owner forwarding command is executed through the shell and receives message-derived content over stdin. Even if stdin reduces direct shell injection from message text, using a shell still expands the attack surface and silently hands potentially sensitive broadcast data to an external process without strong safety boundaries or operator confirmation.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The polling loop automatically fetches bridge messages and forwards selected ones to an owner command based on simple keyword matching. In this skill context, the component is explicitly designed to relay broadcasts onward, so undisclosed data transmission is more dangerous because public bridge content may still contain sensitive operational details that get propagated to other channels or tools.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The subprocess inherits the full process environment and forwards unvalidated message content to an external CLI, which can expose secrets such as tokens, credentials, or internal configuration to child-process code and logs. This is more concerning in this skill because forwarding broadcasts to the owner crosses the local-bridge boundary and can propagate sensitive data outside the originating context.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal