Back to skill

Security audit

dxh141130

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says, but it can use saved credentials to change real workplace timeclock records without a strong confirmation boundary.

Review carefully before installing. Use this only if you trust the publisher and are comfortable with an agent logging into WPS Time from saved Keychain credentials. Prefer explicit commands like "punchclock status" or "punchclock clock in," require confirmation before any punch action, avoid sharing screenshots in sensitive channels, and verify that your WPS login flow is protected appropriately in your environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (8)

Description-Behavior Mismatch

Low
Confidence
90% confidence
Finding
The code returns up to 2000 characters of authenticated page text in `snippet`, which goes beyond the described 'brief confirmation' and may include sensitive employment or account information from the timeclock portal. Because this data is emitted to stdout for upstream tooling, it can be logged, stored, or exposed outside the immediate user interaction.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger list is broad enough to match common workplace phrases like 'status' or 'check status', increasing the chance the skill activates unintentionally. Because the skill performs real timeclock actions, accidental invocation could cause unauthorized punches or expose attendance information without deliberate user intent.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill instructs attaching screenshots from the time system but does not require any privacy minimization or warning. Those screenshots may contain employee names, identifiers, schedules, or punch history, so automatically sharing them can leak sensitive workplace data to the chat channel or logs.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The suggested trigger phrases include very common expressions like 'status' and 'check status', which can easily collide with unrelated user requests in normal conversation. Because this skill performs real-world account actions against a timekeeping system, accidental invocation could cause unintended punches or disclosure of employment status information.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The runbook explicitly directs the agent to use stored macOS Keychain credentials without prompting or warning the user. That creates hidden credential use and reduces user awareness that a local secret is being accessed to authenticate to an external service, which is especially risky in an automation context.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The script can perform irreversible timekeeping actions like clock-in and clock-out and then captures a full-page screenshot, all without any in-script confirmation gate or warning. In an agent setting, mistaken invocation, prompt confusion, or misuse could alter attendance records and preserve sensitive page contents in screenshot artifacts.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
Steward should:
1) Open an OpenClaw-managed **isolated browser** (profile `openclaw`).
2) Navigate to WPS Time / NetTime.
3) Login using **macOS Keychain** credentials (do not prompt user).
4) Perform the requested action (select the Action dropdown + click Punch).
5) Read resulting status/time from page.
6) Take screenshot.
Confidence
90% confidence
Finding
do not prompt user

Credential Access

High
Category
Privilege Escalation
Content
(Punch button submits the selected action.)

## Credentials
Stored in macOS Keychain.

Preferred services:
- `wpstime-punchclock`
Confidence
94% confidence
Finding
Keychain

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.