Security audit

Code Stats

Security checks across malware telemetry and agentic risk

Overview

This skill locally counts files, lines, and language distribution in an OpenClaw workspace, with no evidence of network transfer, file changes, or hidden behavior.

Install if you are comfortable with a local Node.js script reading files under the hardcoded OpenClaw workspace to compute aggregate counts. It does not transmit or modify files, but the path is not configurable without editing the script.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Natural-Language Policy Violations

Medium

Confidence: 95% confidence
Finding: The manifest description and usage text are written entirely in Chinese, which imposes a specific language/locale on users without any opt-in or documented regional justification. Under the policy rule, language constraints should either be optional for the user or clearly justified as region-specific.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.