Workspace Guardian

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a real workspace self-healing helper, but it asks to run automatically and can repeatedly change local workspace files and OpenClaw configuration without clear approval or rollback controls.

Install only if you want an autonomous OpenClaw workspace repair helper. Before enabling startup or heartbeat execution, review the shell script, back up openclaw.json, require confirmation for config edits and gateway restarts, and confirm that making Markdown files world-readable with chmod 644 is acceptable in your workspace.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (3)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 94% confidence
Finding: The skill invokes shell execution (`bash scripts/guardian-startup.sh`) while declaring no permissions, which creates a capability/visibility gap. In an auto-invoked startup and heartbeat context, hidden shell access is especially risky because operators and policy engines may not realize arbitrary local commands can run with workspace privileges.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 90% confidence
Finding: A description-behavior mismatch is dangerous because the skill appears to do routine workspace healing, but static analysis indicates it also creates additional files and changes permissions beyond the declared scope. Undisclosed file creation and permission modification can mask persistence, alter audit trails, or weaken filesystem protections under the guise of maintenance.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The skill is configured for automatic execution on startup, every heartbeat, and on loosely defined recurring errors, which makes invocation conditions overly broad. Broad autonomous triggers increase the chance of repeated unintended file/config mutations, denial-of-service through repair loops, or abuse by an attacker who can induce the trigger conditions.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal