SkillUp

Security checks across malware telemetry and agentic risk

Overview

SkillUp appears to be a legitimate publishing helper, but it needs review because it can publish with tokens, replace local agent skills, and weakens TLS for one OpenClaw status call.

Install only if you need a shell-based multi-platform skill publisher. Use least-privilege tokens, run redact-check and dry-run first, verify all configured URLs are trusted HTTPS endpoints, and avoid install-local or rollback unless you are comfortable replacing local agent skill files.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill declares shell, environment-variable, and file read/write capabilities in practice but does not explicitly declare permissions or warn users about those powers. In an agent ecosystem, this reduces informed consent and can cause the tool to be invoked with broad local and credential access without the user realizing the full scope.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 90% confidence
Finding: The top-level description frames the skill as a packaging/sync tool, but the documented behavior goes further: secret scanning, local installation, rollback, version bumping, doctor checks, and potentially creating/updating remote repositories and releases. This mismatch can mislead users or supervising agents into authorizing the skill under a narrower trust model than its actual capabilities warrant.

Context-Inappropriate Capability

High

Confidence: 91% confidence
Finding: `rollback` downloads a ZIP from GitHub and replaces the local skill directory with its contents, trusting the remote release asset without validating integrity, provenance, or path safety beyond unzip defaults. If the configured repo, tag, or release asset is malicious or compromised, a user can be induced to overwrite local skill files with attacker-controlled content.

Context-Inappropriate Capability

Medium

Confidence: 99% confidence
Finding: The code explicitly sets NODE_TLS_REJECT_UNAUTHORIZED=0 before invoking the CLI, which disables TLS certificate validation for the network request. That permits man-in-the-middle interception or spoofing of the remote service, making any returned status data untrustworthy and potentially exposing credentials or other sensitive traffic handled by the CLI.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The documentation describes publish, install-local, and rollback operations without an explicit warning that they can overwrite local files, install into agent skill directories, or alter remote platform state. In a semi-autonomous agent context, omission of these warnings increases the chance of unintended destructive actions or persistence-like installation behavior.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill documents multiple tokens and API keys but does not clearly warn that publish/status operations may transmit those credentials or derived authenticated requests to third-party platforms. This creates a privacy and security risk because users may provide sensitive credentials without understanding when and where they will be used.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: This code removes the existing local skill directory and replaces it during rollback without any interactive warning, confirmation, or dry-run preview at the point of execution. That makes accidental data loss or unintended replacement much more likely, especially because the source content comes from a remote GitHub release.

Missing User Warnings

High

Confidence: 99% confidence
Finding: This is the same underlying issue as above: TLS verification is disabled silently, with no warning or opt-in from the user. Because this tool publishes and inspects skills on external platforms, weakening transport security in a supply-chain context is especially dangerous: an attacker on path could tamper with platform responses or induce unsafe behavior based on forged data.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal