OKR for clawbot

Security checks across malware telemetry and agentic risk

Overview

This OKR skill is a focused local planning helper that writes OKR notes to one disclosed memory file.

Install this if you want OpenClaw to maintain a local OKR history across sessions. Avoid storing passwords, keys, private credentials, or highly sensitive personal or business details in OKR notes, and review ~/.openclaw/workspace/memory/okr.md if you want to see or edit what is retained.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The activation description uses broad terms like goal management, quarterly planning, review, scoring, and knowledge capture, which can cause the skill to trigger during ordinary conversations that are not intended to modify persistent state. In this skill's context, overbroad activation is more dangerous because the skill is designed to maintain and update a local memory file, so a mistaken trigger can lead to unintended data creation or alteration.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill description states that information will be maintained in a persistent local file, but it does not clearly warn the user at activation time that using the skill may write or update stored data. This is dangerous because users may provide planning, work, or retrospective details without realizing they are being persisted, creating privacy, consent, and integrity risks in the local workspace.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal