Skill

Security checks across malware telemetry and agentic risk

Overview

This skill mostly matches its Kemia connector purpose, but it needs review because importing from Kemia can overwrite files chosen by the server without local filename validation.

Install only if you trust the Kemia deployment you connect to and are comfortable uploading the listed OpenClaw markdown configuration files. Be cautious with /import in this version: prefer a release that validates filenames against a fixed allowlist and shows the files or diff before overwriting workspace content.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (5)

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The script trusts remote `.files[].filename` values from the Kemia API and writes them directly under `${WORKSPACE}` without validating or normalizing paths. A malicious or compromised server could supply filenames containing `../`, absolute paths, or sensitive workspace-relative targets, causing arbitrary file overwrite outside intended config locations and potentially leading to code execution or persistence when the agent later loads those files.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The integration guide demonstrates extracting and echoing the API key directly to stdout without any warning that it is a bearer credential. In real deployments, stdout is often captured by shell history, CI logs, terminal recording, or support transcripts, so this pattern can leak a token that grants full access to the kemia instance.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The script automatically reads local workspace files such as SOUL.md, MEMORY.md, AGENTS.md, and TOOLS.md and POSTs their full contents to the remote kemia service after enrollment completes. Although this appears to be intended product behavior, it is still a real data exfiltration risk because the transfer happens without an explicit just-in-time consent prompt or file list review at the moment of transmission, and those files may contain secrets, prompts, or sensitive operational context.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The import operation overwrites existing workspace files automatically with server-provided content and only keeps best-effort backups for files that already exist. In this skill context, imported agent configuration directly affects runtime behavior, so silent replacement can disable safeguards, introduce malicious prompts/tools, or break the agent with no user review step.

External Transmission

Medium

Category: Data Exfiltration
Content: payload=$(jq -n --arg name "${AGENT_NAME}" --argjson files "${files_json}" '{name: $name, files: $files}') local response response=$(curl -sf -X POST \ -H "Content-Type: application/json" \ -H "Authorization: Bearer ${key}" \ -d "${payload}" \
Confidence: 89% confidence
Finding: curl -sf -X POST \ -H "Content-Type: application/json" \ -H "Authorization: Bearer ${key}" \ -d

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal