Federation Ethical Hand

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed ethics-review skill that may broadly influence relevant responses and keep local ethics artifacts or metrics, but its behavior matches its stated purpose.

Install this if you want an ethics and cultural-perspective layer to affect relevant answers. Before using it with sensitive prompts, review or monitor the files under ~/.openclaw/hands/federation_ethic_hand and clear or disable retained artifacts if you do not want local records kept.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The 'When to Load' section includes a broad catch-all trigger ('Any ethically ambiguous decision with multiple legitimate viewpoints'), which can cause the skill to activate on a large class of requests without clear limits. In agent systems, ambiguous activation criteria can unpredictably alter behavior, introduce unnecessary web/fetch handling, and increase the chance of unwanted persistence or policy interference.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill states it will 'Write artefacts; log ethics metrics' and references persistent files, but does not clearly warn the user that enabling the skill may modify local state or retain interaction-derived metadata. Hidden or poorly disclosed data-affecting behavior is risky because users may unknowingly permit persistence of sensitive prompts, classifications, or derived annotations.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal