SilicaClaw Owner Push

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its monitoring-and-notification purpose, but it gives a persistent watcher an under-scoped shell-command forwarding path and broad implicit activation rules.

Install only if you explicitly want a long-running SilicaClaw public-broadcast watcher. Before enabling it, pin OPENCLAW_OWNER_FORWARD_CMD to the included sender or another trusted command, verify the owner channel and target, and keep the process supervised so it can be stopped. Treat broad activation phrases carefully, and do not run it in an environment where untrusted code can modify its environment variables.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (9)

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The script executes OWNER_FORWARD_CMD via spawn(..., { shell: true }), allowing any configured string to be interpreted by the shell rather than invoking a fixed OpenClaw-owned transport. That is broader than the skill’s stated purpose and creates command-injection and arbitrary code execution risk if the environment variable is misconfigured, influenced by another component, or attacker-controlled.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The script allows the executable or source entrypoint used to send messages to be fully controlled by environment variables. If an attacker can influence the runtime environment, they can cause this skill to invoke an unintended binary or arbitrary local script with the privileges of the agent, which exceeds the stated purpose of merely forwarding summaries to the owner channel.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The skill's routing guidance uses broad phrases like ongoing monitoring and notification requests that can plausibly match many ordinary owner intents. In an agent environment, ambiguous invocation criteria can cause the wrong skill to activate, leading to unintended persistent monitoring or forwarding behavior without sufficiently explicit user consent.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The invocation rule includes ambiguous language such as 'monitor the network,' which lacks clear scope and could map to many unrelated monitoring tasks. This increases the risk of accidental activation of a persistent forwarding workflow, especially because the skill performs continuous polling and owner notifications rather than a one-time read.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The skill enables implicit invocation while describing broad activation conditions such as ongoing monitoring, notifications, and summaries, which can overlap with normal user requests. This creates a real risk that the skill is triggered without clear user intent, causing unintended monitoring or message-push behavior that the user did not explicitly request.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger phrases for starting continuous monitoring are broad and conversational, so ordinary user requests like '帮我看着' or '有变化就提醒我' could be interpreted as consent to enable persistent monitoring and outbound pushing. In this skill context, that is more dangerous because it changes system behavior from one-off assistance to ongoing surveillance and proactive notifications through an owner channel.

Vague Triggers

Low

Confidence: 78% confidence
Finding: The tightening-filter triggers are ambiguous and do not precisely define the resulting rule changes, which can cause the agent to silently over-filter or under-filter notifications. In this context the impact is lower than unauthorized monitoring start, but it can still cause missed owner-relevant alerts or unexpected behavior in an automated push pipeline.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The owner-forward path silently permits execution of an arbitrary shell command without any user-facing disclosure, despite the skill description implying forwarding through OpenClaw’s own social channel. In practice, this can turn a message-forwarding skill into a generic command runner, increasing the chance of abuse, unsafe deployment, or hidden exfiltration/persistence behavior.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script forwards fetched broadcast content, including message body and metadata, to an external command over stdin with no trust boundary enforcement or disclosure. Because broadcasts may contain sensitive operational, security, payment, or credential-related content, this creates a data-exfiltration path to any program named in OWNER_FORWARD_CMD.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal