Security audit

Evez Os Cheat Codes

Security checks across malware telemetry and agentic risk

Overview

This documentation-only skill does not run code, but it gives broad, under-scoped instructions for disabling auth, exposing secrets, capturing traffic, and retrieving cloud credentials.

Review before installing. This skill is not malware by itself and VirusTotal/static scan were clean, but it teaches powerful operator actions that can expose credentials, prompts, traffic, cloud tokens, and administrative control surfaces. Only use it in an isolated, owner-authorized environment, keep device authentication enabled, avoid unredacted secret and full-payload logging in production, and rotate any credentials that are exposed while following its commands.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (7)

Missing User Warnings

High

Confidence: 98% confidence
Finding: The skill explicitly documents `gateway.controlUi.dangerouslyDisableDeviceAuth = true` and states it is already enabled on the node, normalizing an authentication bypass for an administrative interface. This materially increases the chance of unauthorized access to management functions, especially because the surrounding document frames dangerous capabilities as 'cheat codes' rather than emphasizing emergency-only use.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The GCP metadata section provides direct commands to retrieve live service-account tokens, startup scripts, scopes, and SSH keys, while describing the metadata service as a 'god key' and omitting any credential-handling or authorization warnings. In an agent skill context, this is especially dangerous because it operationalizes privileged credential access and sensitive data extraction from cloud instances.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill recommends enabling a debug proxy that captures all HTTP traffic and stores it for later analysis, but does not warn that this will collect credentials, tokens, prompts, personal data, and other sensitive payloads. Because the rest of the document promotes aggressive debugging and secret visibility, operators may enable this in unsafe environments and create a secondary trove of sensitive data.

Natural-Language Policy Violations

Medium

Confidence: 87% confidence
Finding: The phrase 'Mind Control' and surrounding guidance on startup context injection, system events, and agent control use coercive framing that implies unauthorized manipulation of agent behavior. While partly rhetorical, in this skill's broader context of elevated mode, hidden headers, and system event injection, the language encourages misuse rather than safe administration.

Vague Triggers

Low

Confidence: 90% confidence
Finding: The package description advertises a very broad set of capabilities ('456 env vars, 30+ CLI commands, 14 zones of hidden features') without defining scope, triggers, or safety constraints. In an agent skill ecosystem, vague and expansive capability claims increase the risk of overbroad invocation, accidental access to sensitive environment data, and hidden behavior that users and reviewers cannot easily reason about.

Ssd 3

High

Confidence: 99% confidence
Finding: The documented variable `OPENCLAW_SHOW_SECRETS=1` explicitly enables display of unredacted secrets in output, which creates immediate risk of credential exposure through terminal logs, screenshots, transcripts, or monitoring systems. In a skill aimed at operators, this is unsafe guidance unless surrounded by strict containment procedures, which are absent here.

Ssd 3

High

Confidence: 100% confidence
Finding: The 'ultimate cheat code' startup recipe combines `OPENCLAW_SHOW_SECRETS=1` with full model payload logging, cache tracing, and verbose output, explicitly encouraging operators to reveal and capture highly sensitive information in one run. This creates a severe risk of bulk credential leakage, exposure of prompts and memory contents, and long-lived sensitive artifacts on disk or in logs.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal