Ogp

Security checks across malware telemetry and agentic risk

Overview

This skill appears to support legitimate OGP federation, but it deserves review because it delegates sensitive agent access to an unpinned external CLI and includes under-scoped peer-state reset guidance.

Before installing, review and pin the @dp-pcs/ogp CLI version you trust. Only approve verified peers, customize granted scopes instead of accepting broad defaults when possible, protect OpenClaw tokens and ~/.ogp* state files, and do not run the peers.json reset commands unless you intentionally want to remove all peer relationships for the exact framework files being changed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill instructs users to back up and then overwrite `peers.json` with an empty array, which irreversibly clears federation state for that framework unless restored manually. Even with a backup step, the instructions do not clearly warn that this removes peer trust relationships, can break active federation/project collaboration, and may require re-federation or reapproval, making accidental operational damage plausible.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal