Skill Authoring

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward skill-authoring helper with no hidden network access, credential use, persistence, or destructive behavior found.

Before installing, understand that this skill may guide an agent to create or package files in local OpenClaw skill directories and may use local OpenClaw helper scripts. Review those external helper scripts if they are outside this package or installed in privileged locations.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger text is very broad, covering generic phrases like creating, building, packaging, or reviewing a skill in both English and Chinese. Overbroad invocation criteria can cause the skill to activate in unintended contexts, increasing the chance that sensitive authoring or packaging instructions are surfaced when the user did not intend to invoke this capability.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal