Security audit

Tmp Openclaw Typecho

Security checks across malware telemetry and agentic risk

Overview

This skill is not malware, but it needs review because it gives an agent persistent credentials to directly publish, update, and delete live blog content with broad activation wording.

Install only if you are comfortable letting an agent manage a live Typecho blog. Use a dedicated low-privilege blog account, store the token in a proper secret store if your agent supports one, rotate the token if exposed, and require explicit user confirmation before public publishing, updating, or deleting posts.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (4)

Intent-Code Divergence

Medium

Confidence: 90% confidence
Finding: The skill states that AI must only use a fixed category whitelist and must not create new categories, but the API documentation later says passing a new category name will auto-create it. This contradiction can cause the agent to drift outside the intended taxonomy, enabling accidental creation of arbitrary categories and weakening governance, moderation, and content-routing assumptions.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The top-level skill description uses broad triggers like '知识库', '归档', and '我的博客', which are common phrases that may appear in unrelated conversations. This increases the chance of unintended skill activation, causing the agent to read stored credentials and perform blog operations when the user did not clearly intend publication or content management.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The trigger list includes ambiguous commands such as '写笔记', '归档', '我的博客', and '清理博客文章', without strong scope boundaries or confirmation requirements. In a skill that can create, update, and delete remote content using persisted tokens, ambiguous activation materially raises the risk of unintended destructive or privacy-impacting actions.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs the AI to persist the blog domain and API token locally so future operations can occur without re-prompting, but it does not clearly warn the user about credential storage risks, retention scope, or who can reuse that token later. Because the token grants direct publish/update/delete access to a live blog, silent persistence increases the chance of unauthorized reuse, accidental cross-session actions, and credential exposure through local storage or logs.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal