Multi Step Workflow

Security checks across malware telemetry and agentic risk

Overview

This workflow skill is mostly coherent, but it can persist sensitive task context and falsely report that snapshots were cleared while keeping the data on disk.

Review before installing. Keep snapshots and sub-agents disabled unless you understand your OpenClaw runtime's isolation and logging behavior, and do not rely on this version's snapshot clear command to remove sensitive saved context.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (6)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill instructs the agent to execute shell-capable commands (`node`, `openclaw`) but does not declare corresponding permissions in the manifest. This creates a trust and enforcement gap: a reviewer or runtime may treat the skill as lower risk than it really is, while the skill still attempts code execution and configuration changes.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 84% confidence
Finding: The manifest markets the skill as an audit-hardened, sandboxed workflow, but the behavior described includes broader stateful operations such as context snapshotting, task tracking, temp-directory management, and config mutation without clear alignment or limitation. This mismatch can mislead users and security reviewers about the real behavior and trust boundaries, causing them to approve a skill with more persistence and side effects than advertised.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The skill claims private sandboxed operation, yet it directs the agent to read and write `openclaw` configuration that is likely global or user-scoped rather than task-local. Persistent configuration changes can outlive the current task, alter later agent behavior, and violate the promised isolation model.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The workflow states that workers are sandboxed, but the file provides no actual sandboxing mechanism, policy, or enforcement before allowing sub-agent spawning. This can give users false assurance and lead to delegated execution with the same privileges as the parent agent, expanding the attack surface without the promised isolation.

Intent-Code Divergence

Medium

Confidence: 99% confidence
Finding: The `clear` command claims to remove preserved context, but it actually rewrites the snapshot file with the original `task`, `findings`, and `pending` values and merely stuffs a timestamp into the `lastError` field via an assignment expression. This creates a data-retention flaw: operators may believe sensitive task context was deleted when it remains recoverable on disk, which is especially risky for a workflow tool explicitly designed to persist context across compaction.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The `load` path prints the entire stored snapshot, including raw `task`, `findings`, `pending`, `lastError`, and `project_root`, directly to stdout. In CLI and agent environments, stdout is commonly logged, captured in transcripts, or surfaced to other components, so this can expose sensitive operational context beyond the intended local storage boundary.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal