clawsec-feed

Security checks across malware telemetry and agentic risk

Overview

The skill is a disclosed security advisory feed with expected GitHub downloads, optional polling, and local installed-skill matching; the issues found are guidance and scoping concerns, not evidence of hidden or harmful behavior.

Install only from the intended Prompt Security/GitHub release path and prefer the signed manifest/checksum verification flow over the README quick curl snippet. Expect the skill to fetch advisory data from GitHub/Prompt Security and, if you use the heartbeat examples, to keep a small local state file and compare advisories against installed skill names.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (3)

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The feed advertises itself as OpenClaw-related, but it includes a large volume of unrelated Hermes, PicoClaw, NanoClaw, and other advisories. In security automation, this kind of scope drift is dangerous because downstream tooling may make patching, alerting, triage, or trust decisions based on incorrect package relevance, causing false alarms, alert fatigue, and potentially missed real OpenClaw issues amid noisy data.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The README encourages users to fetch a remote `.skill` artifact directly with `curl` and does not pair that step with an immediate verification command or prominent warning against installing unverified artifacts. In a security-oriented package, normalizing direct download of executable skill content increases supply-chain risk if the release asset, transport path, or user workflow is compromised.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The trigger list is broad enough to match many ordinary security discussions such as 'security alerts', 'security news', and 'check advisories'. In an agent ecosystem, this can cause the skill to activate in contexts where the user did not explicitly ask for this package, increasing the chance of unintended prompt injection exposure, unnecessary network access, or advisory content being surfaced in unrelated workflows.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal