Security audit

agent-creator-skill

Security checks across malware telemetry and agentic risk

Overview

The skill appears to do what it advertises, but it automatically creates persistent OpenClaw agents and changes local OpenClaw state without enough confirmation, validation, or cleanup controls.

Install only if you intentionally want your main agent to create persistent peer agents. Before running it, review the generated agent ID, display name, workspace path, and full persona prompt; avoid secrets in persona text; back up ~/.openclaw/openclaw.json; and do not use the Windows PowerShell path unless the missing script is supplied and reviewed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (4)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill instructs the agent to execute local shell/PowerShell scripts and implicitly use filesystem and environment access, yet no permissions are declared. This creates a hidden capability boundary issue: a caller or reviewer may believe the skill is metadata-only while it can actually create or modify files and invoke host tooling.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The README explicitly promotes automatic execution of local scripts and automatic agent initialization, but does not warn users that these steps will execute commands and modify the OpenClaw environment. In an agent-driven workflow, lack of explicit disclosure increases the risk of users authorizing actions they do not understand, especially because the scripts create agents and inject prompts automatically.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The conversational installation flow tells users they can ask the main agent to install directly from a GitHub URL, but does not warn that this will fetch, trust, and enable remote code. This is dangerous because it encourages one-step installation of unreviewed third-party code through an agent, amplifying supply-chain and prompt-to-execution risk.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The trigger condition is very broad: any request to 'create a new agent, assistant, or proxy' must invoke this skill. Because the skill generates attacker-influenced prompt content and passes it as command-line arguments to local scripts, overly broad auto-invocation increases the chance of unintended execution, misuse, or prompt-to-command workflow abuse in normal conversations.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.