ClawHub
Back to skill

Security audit

Openclaw Skill

Security checks across malware telemetry and agentic risk

Overview

The skill appears to perform the advertised ecommerce asset workflow, but it needs review because it grants broad OAuth access and can upload local files or arbitrary URL contents to a remote service with limited safeguards.

Install only if you trust AI Product Space and are comfortable granting broad account authorization. Use explicit product-image paths or public image URLs you intend to upload, avoid confidential or regulated product assets unless the provider terms allow it, and confirm before starting credit-consuming generation or reusing an existing workspace.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill declares OAuth auth and documents manual use of an API key plus a remote base URL, but it does not declare corresponding permissions even though it clearly needs environment/config access and network access. This weakens platform review and user transparency, making it easier for a skill to exfiltrate configured secrets or send uploaded product images and generated assets to an external service without explicit permission gating.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The OAuth config requests a wildcard scope ("*") even though the skill’s stated purpose is limited to generating ecommerce assets from uploaded product photos. Overbroad scopes violate least-privilege and can grant the remote service unnecessary access to user data or platform capabilities if the token is reused or the provider is compromised.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The trigger phrases include generic terms such as 'product images', 'generate product', and 'product video', which are broad enough to match ordinary user requests unrelated to this specific skill. Overbroad triggers can cause unintended activation, resulting in user images or prompts being sent to an external third-party service unexpectedly and potentially consuming paid credits.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The example invocation uses a natural everyday phrase ('帮我生成蓝牙耳机的电商素材') without any explicit activation boundary, which encourages ambient triggering from common conversation. In this skill's context, accidental activation is more sensitive because it can initiate remote processing of user-provided images and potentially bill the user's account.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The client fetches an arbitrary user-supplied URL server-side via `fetch(imageUrl)` and then uploads the retrieved content onward, which creates an SSRF-style primitive. An attacker could cause the environment running this code to make requests to internal services, cloud metadata endpoints, or otherwise hidden network locations; in this ecommerce-image skill context, accepting remote product image URLs makes this especially reachable.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The example explicitly tells users they can provide a local file path or image URL for product images, but it does not disclose privacy, retention, or data-handling implications. In a workflow that uploads user-provided media to a remote service and generates downstream assets, this can lead users to unintentionally expose sensitive local files, proprietary product imagery, or metadata without informed consent.

Missing User Warnings

Low
Confidence
79% confidence
Finding
The example explicitly reuses a prior workspace (`space_id: "abc123"`) to generate new assets without any visible confirmation, scoping explanation, or warning about using existing user/project data. In a multi-project or shared environment, this can lead to accidental use of the wrong workspace contents, causing unintended data exposure or generation based on another user's or another product's assets.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The skill explicitly states it can read user-specified local product image files, but it does not instruct the agent to clearly notify the user about local file access or obtain explicit consent at the moment of access. This can lead to unexpected access to local data and weakens user awareness around privacy-sensitive operations, even if the intended file is just a product image.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The workflow directs the agent to upload product images and run generation through an external API, but it does not require informing the user that their image will be transmitted to a third-party service for processing. This creates a meaningful privacy and data-governance risk, especially if product images contain unreleased products, branding, embedded metadata, or other sensitive commercial information.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.