Security audit

web-tools-guide

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly a web-tooling guide, but it also installs persistent browser tooling, restarts Chrome, and handles API keys in ways users should review before installing.

Install only if you trust the publisher and are comfortable with a global CLI install, a downloaded browser extension, Chrome being restarted, and API keys being stored in OpenClaw config. Prefer reviewing the setup script first, using a dedicated browser profile, and avoiding raw API-key sharing in chat unless the workflow masks and protects secrets.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (6)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill instructs the agent to run a shell installation script when `opencli` is missing, but the manifest does not declare shell or installation-related permissions. That creates a hidden capability escalation path: a document presented as guidance can trigger arbitrary system modification and process control without explicit user expectation or permission gating.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 97% confidence
Finding: The declared purpose is procedural guidance for web-tool selection, but the referenced setup behavior includes installing software, downloading artifacts, modifying browser extensions, inspecting processes, killing Chrome, and relaunching it with remote-debugging-related flags. That mismatch is dangerous because it hides powerful host-level actions behind an innocuous description, increasing the chance of unauthorized execution and trust abuse.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The script goes beyond passive guidance and performs privileged system changes by globally installing software with npm. In the context of a documentation-style skill, embedding executable installation behavior increases supply-chain and host-modification risk, especially when the package source is external and not pinned or integrity-verified.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The script terminates a running Chrome process and restarts it with modified flags, which is a destructive action that can disrupt active sessions, lose unsaved work, and alter the browser's security posture. For a web-tools guide skill, this capability is excessive and materially expands the blast radius from guidance into direct host/process control.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs the agent to solicit API keys directly in chat and then persist them into configuration, but provides no warning about the sensitivity of credentials, no guidance on secure handling, and no minimization of exposure in logs or transcripts. In this context, the skill is especially risky because it is mandatory and operationally prescriptive, increasing the likelihood that agents will collect and store live secrets in conversational channels and local config without safeguards.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The browser restart path kills the detected Chrome PID without any confirmation, backup, or check for active user work. Even if intended for convenience, unprompted destructive process control is unsafe because it can cause denial of service and unintended session interruption.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.