Terminal Killer

Security checks across malware telemetry and agentic risk

Overview

This skill is a real terminal command runner, but it can auto-run local commands and execute shell startup files during detection with limited user control.

Install only if you intentionally want an OpenClaw skill that can run local terminal commands automatically. Review the detection rules first, assume commands run with your normal user privileges and environment, and be aware it may read shell history and source shell startup files during detection. Avoid using it around sensitive shell profiles, secrets, or ambiguous prompts unless you add stricter confirmation or sandboxing.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (19)

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The detector is not purely inspecting input; it invokes a shell command via execSync and prepends shell initialization code that sources user startup files. This means classification of text can trigger execution of arbitrary code already present in .zshrc/.bashrc, turning a low-risk detection step into an unexpected code-execution path.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The detector reads recent shell history files to influence execution decisions, exposing sensitive user activity unrelated to the immediate prompt. In this skill context, that broadens data access beyond what users would expect from a command classifier and can leak secrets or prior commands into agent behavior.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: Before executing the detected command, the skill sources shell startup files such as ~/.zshrc, ~/.bashrc, and ~/.profile. That means handling a user command can also execute arbitrary code embedded in those files, expanding execution beyond the requested command and creating a risky, non-obvious code path.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The skill's advertised purpose is command detection and execution, but it also loads and executes code from user shell startup files. This adds hidden behavior unrelated to simple command dispatch and increases the attack surface, especially because shell init files frequently contain arbitrary functions, aliases, and external command invocations.

Vague Triggers

High

Confidence: 95% confidence
Finding: The activation criteria are broad enough that many short, imperative, non-command user inputs could be misclassified as shell commands and executed automatically. In the context of an agent skill that explicitly bypasses LLM review and runs commands directly, ambiguous routing materially increases the risk of unintended command execution.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The README promotes direct execution of user-entered shell commands as a core behavior without an overarching warning that commands can modify files, leak data, or damage the system. For a skill designed to skip AI processing and execute locally, this omission makes the unsafe operating model more dangerous because users may underestimate the consequences.

Vague Triggers

High

Confidence: 97% confidence
Finding: The skill is designed to auto-activate on inputs it classifies as commands and explicitly bypass LLM mediation for direct execution. In this context, broad activation language is highly dangerous because ordinary user text can be misclassified as a shell command, leading to unintended command execution.

Vague Triggers

High

Confidence: 99% confidence
Finding: Triggers like 'starts with a verb-like word', 'short input', and 'no question words' are far too ambiguous for a system that executes shell commands. Many benign natural-language requests satisfy those conditions, so the detector can misroute normal conversation into shell execution with potentially destructive consequences.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill automatically sources shell init files and reads the user environment, but the description does not present this as a prominent privacy and security warning. That matters because init files and environment variables may contain secrets, custom aliases, or unsafe shell code that change execution behavior in ways the user may not expect.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The description explicitly says the skill will 'automatically' identify shell commands and 'run immediately' to skip normal AI processing, which creates a broad activation surface for dangerous command execution. In the context of a terminal-execution skill, overly permissive invocation language increases the chance that benign-looking user input, prompt injection, or ambiguous text is misclassified as a command and executed locally.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The examples explicitly label short phrases like 'build', 'deploy', and 'start server' as borderline triggers that may lead to confirmation prompts. In a skill whose core purpose is direct shell execution, ambiguous everyday phrases can be misclassified and turn conversational input into command execution, especially if confirmation UX is weak or bypassable.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The documentation prominently presents direct execution of file, network, package-manager, and process commands without a strong global warning that these inputs will run on the host system. In an agent skill designed to bypass LLM review and execute immediately, normalization of such examples increases the risk that users or downstream integrators underestimate execution danger.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The testing guide includes examples like "help me write code" alongside direct execution detection, and the skill's purpose is to bypass LLM handling when input looks like a shell command. In this context, overly broad trigger examples can normalize ambiguous natural-language inputs near an auto-execution boundary, increasing the risk that benign conversational text is misclassified and run as a command.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The manual testing section contrasts commands with natural language, but the guidance remains ambiguous for help-style phrasing in a system designed to execute commands directly. Because this skill intentionally skips AI processing, unclear boundaries around natural-language help requests can cause unsafe auto-execution decisions or inconsistent handling of user intent.

Vague Triggers

Medium

Confidence: 80% confidence
Finding: The checklist uses vague categories such as help requests and explanations without specifying concrete rejection rules. In a command-execution skill, this lack of specificity can lead implementers to rely on loose heuristics that overlap with ordinary speech, creating a real risk of executing unintended input.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The documentation states that the skill sources shell startup files, inherits the full PATH, and preserves all environment variables. For a skill that auto-detects and executes commands, this significantly expands the trust boundary and can expose secrets, unsafe aliases/functions, and user-specific tooling without any warning or minimization strategy.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: Sourcing shell startup files during detection executes arbitrary shell code from user-controlled rc files without any warning or approval. Because this happens in a classifier for deciding whether to run a command, the skill context makes it more dangerous: merely analyzing input can trigger side effects and code execution before any explicit command run occurs.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The code executes attacker- or user-controlled shell text via execSync after prepending commands that source the user's shell init files, which can load aliases, functions, secrets, and other sensitive environment state before execution. In this skill's context, the explicit purpose is to auto-detect and directly run terminal commands without LLM review, which materially increases the chance of dangerous or unintended command execution and secret exposure.

Missing User Warnings

High

Confidence: 99% confidence
Finding: If detectCommand returns EXECUTE, the skill runs the user input directly with execSync and no user-facing confirmation at this point. In the context of a skill explicitly designed to auto-run shell commands, misclassification or prompt injection into upstream input handling can immediately trigger destructive system commands.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal