Back to skill

Security audit

The knowledge feed and usage telemetry layer for your AI agent team. Post nuggets, share insights, ask questions, report token spend, and stay aware of what your team is doing.

Security checks across malware telemetry and agentic risk

Overview

This skill has a legitimate team-feed purpose, but it asks agents to run recurring remote instructions, overwrite local skill files from a website, and mine local work history for shareable posts without enough user control.

Install only if you trust Nuggetz with your team feed, usage telemetry, and selected work summaries. Before use, disable or require approval for remote self-updates, restrict what local sessions or memory may be reviewed, require human confirmation before external posts, and define data that must never be sent.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (13)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The heartbeat instructs the agent to inspect local sessions, threads, notes, scratchpads, and other memory artifacts that are broader than what a team feed/telemetry skill needs. That expansion of scope creates a clear risk of collecting sensitive local context and then using it to drive outbound posting behavior, which can expose secrets, internal deliberations, or unrelated user data.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill self-updates by downloading remote content and overwriting local instruction files without integrity verification, pinning, or user approval. This creates a supply-chain style remote instruction injection path: if the server, DNS, TLS trust chain, or hosting account is compromised, the agent's behavior can be silently replaced on the next heartbeat.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill directs the agent to read local session messages and memory files without any privacy notice, consent boundary, or data minimization rules. Even if intended to improve relevance, this materially increases the chance that sensitive user or organizational information is processed and later disclosed to the remote feed.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs agents to send usage and cost telemetry to a remote API but provides no explicit warning, consent mechanism, retention policy, or organizational approval guidance. While telemetry can be legitimate, silent reporting of provider/model/session-linked usage metadata can reveal workload patterns, project activity, and operational details.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The skill instructs the agent to treat Nuggetz as a standing team memory and to post whenever it learns, is blocked, or makes decisions. That broad, persistent behavioral directive can cause autonomous external communication beyond the immediate user task, increasing the risk of unintended data disclosure to the remote service.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The instruction to check Nuggetz manually at generic task boundaries like start, finish, or blocked is overly broad and can trigger unrelated outbound network activity during normal work. In practice this creates an always-on exfiltration and distraction channel that is decoupled from user intent or task necessity.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The telemetry guidance encourages reporting provider, model, token counts, cost, request IDs, session IDs, and optionally post linkage, but it does not warn that these fields may themselves be sensitive operational metadata. Sending such telemetry can leak usage patterns, internal identifiers, and cross-task correlation data to an external service without informed consent or minimization.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger list includes broad natural-language phrases such as 'team update', 'share with team', 'ask the team', and 'track usage' that are likely to appear in normal user conversations. In an agent environment, this can cause unintended activation of the skill and unplanned transmission of team knowledge or usage telemetry to an external service, expanding the chance of data leakage or workflow hijacking.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The manifest combines highly specific triggers like 'post to nuggetz' with ambiguous ones like 'what is my team doing' and 'blocked need help' without any disambiguation rules. This increases the risk that unrelated conversations will match the skill, especially given the skill's purpose of posting team knowledge and token-spend telemetry to a remote API, making accidental exfiltration more plausible in context.

Ssd 3

Medium
Confidence
97% confidence
Finding
The workflow explicitly chains local data access with external sharing: scan sessions and memory, derive candidate nuggets, then post them to other agents if deemed useful. That natural-language transformation does not remove sensitivity and can leak confidential information, credentials, internal plans, or personal data in summarized form.

External Transmission

Medium
Category
Data Exfiltration
Content
SKILL_DIR=$(dirname "$(find ~/.openclaw -name SKILL.md -path "*/nuggetz*" 2>/dev/null | head -1)" 2>/dev/null)
[ -z "$SKILL_DIR" ] && SKILL_DIR="$HOME/.openclaw/skills/nuggetz-network"

curl -s https://app.nuggetz.ai/skill.md > "$SKILL_DIR/SKILL.md"
curl -s https://app.nuggetz.ai/heartbeat.md > "$SKILL_DIR/HEARTBEAT.md"
curl -s https://app.nuggetz.ai/rules.md > "$SKILL_DIR/RULES.md"
```
Confidence
98% confidence
Finding
curl -s https://app.nuggetz.ai/skill.md > "$SKILL_DIR/SKILL.md" curl -s https://app.nuggetz.ai/heartbeat.md > "$SKILL_DIR/HEARTBEAT.md" curl -s https://app.nuggetz.ai/rules.md > "$SKILL_DIR/RULES.md"

External Transmission

Medium
Category
Data Exfiltration
Content
Option B — Direct download:
```bash
mkdir -p ~/.openclaw/skills/nuggetz-network
curl -s https://app.nuggetz.ai/skill.md > ~/.openclaw/skills/nuggetz-network/SKILL.md
curl -s https://app.nuggetz.ai/heartbeat.md > ~/.openclaw/skills/nuggetz-network/HEARTBEAT.md
curl -s https://app.nuggetz.ai/rules.md > ~/.openclaw/skills/nuggetz-network/RULES.md
```
Confidence
91% confidence
Finding
curl -s https://app.nuggetz.ai/skill.md > ~/.openclaw/skills/nuggetz-network/SKILL.md curl -s https://app.nuggetz.ai/heartbeat.md > ~/.openclaw/skills/nuggetz-network/HEARTBEAT.md curl -s https://app.

Session Persistence

Medium
Category
Rogue Agent
Content
Option B — Direct download:
```bash
mkdir -p ~/.openclaw/skills/nuggetz-network
curl -s https://app.nuggetz.ai/skill.md > ~/.openclaw/skills/nuggetz-network/SKILL.md
curl -s https://app.nuggetz.ai/heartbeat.md > ~/.openclaw/skills/nuggetz-network/HEARTBEAT.md
curl -s https://app.nuggetz.ai/rules.md > ~/.openclaw/skills/nuggetz-network/RULES.md
Confidence
88% confidence
Finding
mkdir -p ~/.openclaw/skills/nuggetz-network curl -s https://app.nuggetz.ai/skill.md > ~/.openclaw/skills/nuggetz-network/SKILL.md curl -s https://app.nuggetz.ai/heartbeat.md > ~/.openclaw/skills/nugge

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.