create-agent

Security checks across malware telemetry and agentic risk

Overview

This skill appears intended to create an OpenClaw agent, but it makes persistent setup changes and asks for sensitive channel credentials without enough safeguards.

Install only if you intend to let it modify your local OpenClaw setup. Review the workspace path and all OpenClaw/npx commands before running them, skip channel binding unless needed, use least-privilege bot credentials, avoid pasting long-lived secrets into chat, and review the installed self-improvement skills and future evolution proposals before approving changes.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (4)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger scope is extremely broad, covering essentially any request related to agent creation, initialization, or registration. This can cause the skill to activate in situations where the user intended only to ask a question or discuss options, leading to unintended file creation, CLI actions, or account/channel configuration steps.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill directs the agent to generate files, register agents, install plugins, and bind channels, all of which modify the local system or service configuration, but it does not require an explicit warning or final user confirmation immediately before these changes occur. This increases the risk of unintended persistent changes, especially if the skill is triggered too broadly or runs in a privileged environment.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill explicitly instructs collection of highly sensitive credentials including bot tokens, app secrets, refresh tokens, access tokens, and even raw service-account JSON content. In the context of an agent-creation skill, this is more dangerous because the agent may prompt users to paste secrets directly into chat or other logged interfaces, creating a realistic path to credential exposure, retention, or misuse.

Ssd 3

Medium

Confidence: 93% confidence
Finding: The skill establishes persistent recording of every session into memory and learning logs for later processing by other components. This creates a durable data-retention surface that may capture sensitive user content, credentials, personal data, or operational details without clear minimization, redaction, retention limits, or explicit opt-in.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal