Back to skill

Security audit

the king is watching

Security checks across malware telemetry and agentic risk

Overview

This skill does not show malware, but it overstates workflow-enforcement guarantees while encouraging broad automated jobs with persistence and background execution.

Review carefully before installing. Use this only for workflows where local checkpoint files are acceptable, avoid vague bulk-download or bulk-API prompts, specify trusted sources and output folders, and do not rely on the advertised resume, verification, or audit-trace guarantees without testing them first.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (11)

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The demo prints a success claim that a full execution trace was saved even though this file only simulates progress and does not persist any trace. In a workflow-enforcement skill, false auditability claims can mislead users into trusting nonexistent evidence of completion, verification, or compliance.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The feature list advertises capabilities such as checkpoint resume, heartbeat timeout prevention, and async execution, but this demo file does not exercise or implement them. In security-sensitive automation tooling, overstating guarantees can cause unsafe operator assumptions about reliability, resumability, and oversight controls.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The advertised checkpoint resume behavior is not implemented correctly: resume() restores state but then calls run(), which generates a new run_id, reinitializes context, and starts execution from step 0. In a workflow-enforcement skill, this can cause duplicated actions, loss of checkpoint integrity, and false assumptions that partially completed work will continue safely from the saved point.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The installation guide includes a one-line natural-language command that initiates downloading 100 research reports without any disclosure of network access, source validation, rate limiting, copyright considerations, or data-handling safeguards. In an agent skill that emphasizes automatic execution and preventing the agent from skipping steps, this increases the chance that a user or downstream agent will trigger broad external activity without informed consent or review.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The skill promotes broad natural-language commands like downloading large numbers of reports without clear constraints, source restrictions, or approval gates. In context, this is more dangerous because the skill is explicitly designed to enforce completion and persistence, which can amplify harmful or overbroad requests into sustained file and network activity.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The recommended one-liner pattern uses generic requests such as downloading reports or writing large documents without requiring disambiguation of data sources, ownership, or output destinations. This can lead to unintended scraping, copyright/privacy issues, or mass generation actions being launched from a single vague prompt, especially in a tool built to prevent interruption and continue automatically.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill summary and examples do not warn users that operations may involve bulk downloads, persistent file handling, background execution, and external notifications. That omission is risky because users may expose sensitive data or trigger high-impact automation without understanding that artifacts can be stored locally and sent to third-party channels.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The OpenClaw messaging example shows sending completion messages and attaching files to Discord without any privacy notice, redaction step, or consent flow. This is dangerous because task outputs, reports, or packaged artifacts may contain sensitive or proprietary information that would be exfiltrated to an external service by default or with minimal friction.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The guide recommends sending completion notifications to Discord without warning that task metadata, status, or possibly sensitive workflow details may be transmitted to a third-party service. In an agent workflow tool handling downloads, reports, analysis, or development tasks, users may unknowingly leak confidential job names, progress data, or results to external systems.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
Workflow state is persisted automatically to local disk, including context data, step results, and temporary state, without explicit disclosure or consent. In this skill's context, workflows may contain prompts, intermediate outputs, identifiers, or other sensitive operational data, so silent persistence increases the risk of unintended local data exposure and retention.

Missing User Warnings

Low
Confidence
80% confidence
Finding
Asynchronous job metadata is written to disk without clear disclosure, which can expose workflow names, job IDs, timing, status, and potentially error details to other local users or processes. While less sensitive than full workflow state, it still creates unnecessary information leakage about user activity and task execution.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.