DNFM周本进度追踪

Security checks across malware telemetry and agentic risk

Overview

This is a local DNFM progress tracker with disclosed local JSON persistence; it has minor data-loss and bundle-hygiene caveats but no evidence of hidden execution, credential access, network use, or exfiltration.

Install only if you are comfortable with the skill keeping local progress and config JSON files under /root/.openclaw/workspace/dnfm-tracker/. Be aware that on scheduled refresh days after 6 AM, even checking status may reset progress, and the unrelated MLOL documentation file is odd but not used by the tracker code.

SkillSpector

By NVIDIA

Vulnerability Patterns

Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 86% confidence
Finding: The skill documentation indicates it reads from and writes to persistent files, but no corresponding permissions are declared. This creates a capability/permission mismatch that can bypass user expectations and platform governance, especially because the files are stored under /root and may be modified automatically during normal use.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill states that it will automatically read and write JSON files under /root without prominently warning the user that persistent state will be created and modified. Even if the data is only game progress, silent persistence can surprise users, overwrite prior state, and normalize unsafe file access patterns in a privileged directory.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal