Security audit

Langgraph Idea Generator

Security checks across malware telemetry and agentic risk

Overview

This is a coherent coding-plan helper that calls an external MiniMax-compatible model and checks local script filenames for deduplication, with privacy caveats but no evidence of malicious behavior.

Install only if you are comfortable sending your prompt and a small local list of OpenClaw script filenames to the MiniMax API using your environment API key. Avoid entering secrets or confidential client/project names, and consider removing sensitive filenames from the scanned scripts directory before use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (9)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill documents use of an environment variable credential (`EM_API_KEY`) and describes external model access, but no corresponding permissions or explicit capability declarations are present. This creates hidden access to sensitive runtime configuration and can mislead users or policy systems about what the skill can read and transmit.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 97% confidence
Finding: The documented purpose understates behavior: beyond generating ideas, the skill classifies requests, evaluates complexity, reads local script inventory, and sends both user content and local filesystem-derived data to an external LLM API. That mismatch undermines informed consent and increases the risk of unintended disclosure of local metadata and user prompts.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The skill's stated purpose is generating coding ideas, but it also enumerates local scripts in a workspace and later uses and exposes that inventory. This expands the data-access scope beyond user expectations and can reveal filenames, project structure, or sensitive script names that may contain business context or secrets.

Vague Triggers

Medium

Confidence: 81% confidence
Finding: The activation phrases are broad enough to match ordinary conversation, increasing the chance the skill runs when the user did not intend to invoke it. In this context, accidental activation is more dangerous because the skill may access local script inventory and send prompt contents to an external model.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The documentation references an API key and external model integration but gives no clear warning that user input and potentially local context will be transmitted off-device. This prevents informed consent and can expose sensitive requests or filesystem-derived metadata to a third-party service.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The plan node sends a directory listing of the user's local workspace to an external LLM without explicit notice or consent. Even filenames alone can disclose confidential project names, client names, internal tooling, or strategic work, and the skill context makes this more dangerous because users would reasonably expect an 'idea generator' rather than local inventory disclosure.

Natural-Language Policy Violations

Medium

Confidence: 83% confidence
Finding: The description explicitly presents the skill in Chinese, which can steer outputs toward a language the user did not request. This can reduce user control, create confusion, and undermine expected behavior, especially in multilingual environments where users expect responses to follow their own language preference.

Ssd 3

Medium

Confidence: 84% confidence
Finding: In JSON mode, the tool returns the raw user request verbatim, which can leak secrets or sensitive business text into logs, downstream agents, or calling systems that persist output. Because this is machine-consumable output, it may be propagated widely without the user's awareness.

Ssd 3

Medium

Confidence: 82% confidence
Finding: The human-readable output prints the entire request back to the console, which can expose secrets entered by the user through terminal history capture, screen sharing, logs, or shoulder surfing. This is a data-minimization failure, especially for a tool that may be used interactively with ad hoc sensitive requests.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal