fco-monitor

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent FC Online website monitor, but its installer makes privileged system changes and creates persistence without clear opt-in.

Review install.sh before installing. Prefer running the monitor manually or from a user-level scheduler, and avoid running the installer as root unless you intentionally accept package-manager changes, writes under /root and OpenClaw system directories, and creation of a systemd service file. Verify how to remove the service/config/log files and be cautious with any webhook destination because notifications may leave your machine.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (9)

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The installer automatically invokes system package managers to install dependencies, which expands a skill install into host-level modification without explicit consent or scope limitation. For a monitoring skill, silently changing the OS package state is unnecessary and increases risk, especially when the script appears intended to run as root and targets privileged paths.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The script writes a persistent systemd unit under /etc/systemd/system, enabling the skill to become a long-running background service on the host. That is a privilege and persistence boundary crossing beyond simple skill setup, and it creates ongoing execution capability if the monitored code is later modified or compromised.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The skill exposes a generic shell-command execution helper using execSync, which is broader than necessary for a website-monitoring integration. In this file the current call sites are mostly constant strings or numeric CLI parameters, so it is not an immediate arbitrary-command injection sink, but it still increases attack surface and makes future misuse or parameter injection much more likely.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The webhook example explicitly encourages sending monitoring output to third-party services such as Discord or Slack without warning that scraped content, metadata, timestamps, or future expansions of the payload may leave the local environment. In an agent skill context, outbound integrations increase exfiltration risk because users may enable them without understanding what data is transmitted or validating the destination URL.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The example trigger is broad enough that an assistant could auto-activate monitoring behavior from a natural-language request without clear confirmation, scope limits, or explicit consent boundaries. In an agent environment, this can lead to unintended task creation, repeated network activity, and persistent monitoring actions that the user may not have fully authorized.

Missing User Warnings

Low

Confidence: 94% confidence
Finding: The skill describes recurring website checks and later mentions writing logs under /tmp, but it does not clearly warn users up front that enabling monitoring will cause periodic outbound network access and local log creation. This is a real transparency and consent issue because users may unintentionally deploy persistent monitoring behavior that generates network traffic and leaves local artifacts on disk.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: Installing packages with yum/apt-get automatically and without confirmation causes unreviewed system changes and may pull in additional software from configured repositories. In a skill installer, this violates the principle of minimum surprise and can be abused or cause instability on production hosts.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The script writes configuration into /root/.openclaw/config without prior warning, which is a filesystem side effect the user may not expect. While creating a config file is normal installer behavior, doing so in privileged/root-owned locations without consent or path configurability can overwrite expectations and complicate safe deployment.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: Creating a systemd service file under /etc/systemd/system without confirmation establishes host-level persistence and changes boot/runtime behavior. For a third-party skill, this is security-sensitive because it grants durable execution on the machine outside the immediate install session.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal