AOI Sandbox Shield (Lite)

Security checks across malware telemetry and agentic risk

Overview

This is a small local snapshot and JSON-validation helper with no artifact-backed network, destructive, or hidden behavior, though it can duplicate local OpenClaw state files.

Install only if you are comfortable with a local tool that copies OpenClaw config, state, and memory files into snapshot folders. Review snapshot contents before attaching or sharing them, and delete old snapshots when no longer needed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (4)

Intent-Code Divergence

High

Confidence: 91% confidence
Finding: The documentation explicitly states the skill does not send messages externally, yet the associated implementation reportedly posts data to remote URLs. That mismatch is dangerous because users may run the skill with sensitive workspace/config data under false assumptions, enabling covert data exfiltration or unauthorized telemetry.

Intent-Code Divergence

Medium

Confidence: 85% confidence
Finding: Claiming that all commands only print JSON to stdout creates a misleading trust boundary when the code also performs external side effects. Users and automation may treat the skill as safe for offline or sensitive environments, so undisclosed network activity can leak data, violate policy, or trigger unintended actions.

Description-Behavior Mismatch

High

Confidence: 93% confidence
Finding: The stated scope limits the skill to snapshots, JSON validation, and audit-log generation, but the implementation reportedly performs external communications outside that scope. In a skill framed as a 'public-safe' local utility, hidden communications materially increase risk because it may handle configuration files and workspace state that can contain secrets or operational metadata.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The snapshot command copies several files from the user's home/workspace into a new snapshot directory and writes a manifest without any confirmation, allowlist configuration, or visibility controls. While this appears intended as a backup feature rather than overtly malicious behavior, it processes potentially sensitive local files (for example config and memory/state documents) and creates additional persisted copies that increase exposure if the workspace is shared, synced, or later exfiltrated.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal