Back to skill

Security audit

PansModel Manager

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says by managing a local model configuration, but users should understand it can store API keys and change or delete model providers.

Install only if you are comfortable with a helper that edits your local OpenClaw/PanSclaw model config. Back up ~/.openclaw-pansclaw/openclaw.json first, avoid using production API keys unless plaintext local storage is acceptable, restrict file permissions, and double-check provider names before running switch or delete commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill instructs users to manage model configurations and explicitly points to a local config file, which implies file read/write behavior. Because the skill declares no permissions despite requiring configuration modification, it creates a transparency and policy gap: users and the platform may not understand that local files will be altered. In a model-management skill, undeclared file access is more dangerous because it affects persistent runtime behavior and can silently redirect future model traffic.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The trigger phrases are broad terms like '模型管理', '切换模型', and '模型设置', which can match ordinary conversation and cause unintended invocation. In this skill's context, accidental activation is more risky than usual because the exposed actions include changing providers, deleting configs, and handling API keys, potentially causing configuration tampering or credential exposure through an unintended workflow.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script takes an API key as a positional command-line argument and persists it directly into a JSON config file. Command-line arguments are often exposed via shell history, process listings, logging, and crash reports, so this creates a real credential-handling weakness even though the script itself does not exfiltrate the secret.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.