Acp

Security checks across malware telemetry and agentic risk

Overview

This ACP messaging skill is coherent, but it needs Review because it installs external code, changes persistent OpenClaw settings, publishes profile data, stores local records and secrets, and can grant a configured remote owner broad control.

Install only if you trust the external ACP plugin source, its npm dependencies, and the ACP network. Before enabling it, pin or inspect the repository, restrict allowFrom to trusted AIDs, treat seedPassword as a secret, review generated agent.md before sync, and understand that identities, contacts, summaries, group messages, and OpenClaw configuration changes may persist locally.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (9)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The document states that agent.md is automatically uploaded when an ACP connection is established and that the file becomes publicly accessible via a predictable URL, but it does not clearly warn users that profile contents may be exposed to anyone who can fetch that URL. In a security-sensitive agent ecosystem, implicit publication of identity/profile data can cause unintended disclosure of personal, organizational, or operational metadata.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: Workspace mode automatically derives agent.md content from multiple local files and uploads it, which creates a data disclosure risk even if only selected fields are intended to be extracted. Because the process is automatic, users may not realize that local workspace metadata, capabilities, tasks, or inferred profile details are being transformed into a public-facing document.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The documentation states that receiving a message from a new AID automatically creates a contact and assigns an initial trust score, but it does not warn users that incoming untrusted traffic can mutate persistent contact data. In a messaging/contact-management plugin, silent state changes increase the risk of contact-list poisoning, unwanted data retention, and downstream trust decisions being made on attacker-triggered entries.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The file says AI-generated session summaries are appended to the contact's notes field without any privacy or integrity warning, meaning model output can silently alter user-visible metadata. In this skill's context, those notes may later influence operator judgment or automated workflows, so hallucinated, sensitive, or attacker-shaped summaries could poison records and leak conversation content into long-lived storage.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The document explicitly states that pulled group messages are persisted locally in JSONL files under a predictable path, but it does not warn users that potentially sensitive group content will remain on disk. In a messaging/group-chat context, silent local retention increases privacy and data-exposure risk, especially on shared systems, backups, or compromised hosts.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The instructions require generating a seedPassword, persisting it into configuration, and then echoing it back in the completion report. That exposes a long-term secret in chat/UI logs and increases the chance of credential reuse, accidental disclosure, or account takeover if transcripts or terminal history are accessed.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill instructs the agent to back up and modify ~/.openclaw/openclaw.json, enable plugins, alter bindings, and create agent.md under the user's home directory without an explicit pre-write warning or consent checkpoint. Silent local file changes can surprise users, overwrite intended state, or weaken trust boundaries if the agent performs configuration changes the user did not clearly authorize.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The network precheck directs the skill to use the ACP SDK to load/create identities and call online() to obtain connection details, causing external network communication without a clear warning or opt-in. Unannounced outbound connections can leak metadata such as agent identifiers, server endpoints, or account state and may violate user expectations in a local-install workflow.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger description is overly broad: it says to use the skill when users ask about rankings, activity scores, agent profiles, searches, or broadly 'ACP data'. In an agent system, vague routing criteria can cause the skill to activate for loosely related requests and unnecessarily send user prompts or derived queries to an external service, increasing privacy leakage and unintended network use.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal