Openclaw Agentpmt Tool Air Quality Pollen Information E89f3f

Security checks across malware telemetry and agentic risk

Overview

The skill’s air-quality purpose is plausible, but it also asks the agent to use wallet payments and follow private external job instructions without clear limits.

Review this before installing if you would let the agent act autonomously. Use only a dedicated low-balance wallet, require explicit approval before any credit purchase or payment signature, and do not allow the agent to follow private AgentPMT job instructions unless you can inspect and approve each job.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill explicitly states that generated maps are saved to cloud storage for 7 days, but the finding indicates this retention behavior is omitted from the user-facing warning/description context. That can cause unintentional disclosure of queried locations or environmental-interest data to a third-party service when users may reasonably expect a transient API response rather than persisted artifacts.

VirusTotal

No VirusTotal findings

View on VirusTotal