Blueai Models

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly a normal BlueAI model-configuration helper, but one test script can send an unrelated local API key to the BlueAI relay if run without an explicit key.

Review before installing if you use multiple AI provider keys. Run test_model.py with an explicit BlueAI key, avoid relying on OPENAI_API_KEY or automatic config fallback, do not commit API keys, and back up ~/.openclaw/openclaw.json before using add_model.py.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The document instructs users to place an API key in configuration and to use an external relay/pricing endpoint, but it does not warn about protecting credentials, scoping API keys, or the privacy implications of sending prompts and images through a third-party proxy service. In a model-configuration skill, this omission can cause users to expose secrets in configs, logs, screenshots, or commit history and to unknowingly route sensitive data through an intermediary.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal