Skill Radar

Security checks across malware telemetry and agentic risk

Overview

Skill Radar mostly matches a skill-management purpose, but it needs review because it reads sensitive local history and can run local commands, including another skill's script.

Install only if you are comfortable with this skill reading OpenClaw session history, memory/config files, and installed skill contents, then writing local caches and querying ClawHub. Treat reports as potentially sensitive. A safer version should remove Mem0 script execution, replace shell-string commands with validated argument lists, and require explicit opt-in for history and workspace-file scanning.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (22)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: mem0_script = HOME / ".openclaw/skills/mem0/list.py" if mem0_script.is_file(): try: result = subprocess.run( ["python3", str(mem0_script)], capture_output=True, text=True, timeout=15 )
Confidence: 92% confidence
Finding: result = subprocess.run( ["python3", str(mem0_script)], capture_output=True, text=True, timeout=15 )

subprocess module call

Medium

Category: Dangerous Code Execution
Content: def run_cmd(cmd: str, timeout: int = 30) -> str: """运行 shell 命令，返回 stdout""" try: result = subprocess.run( ["/bin/sh", "-c", cmd], capture_output=True, text=True, timeout=timeout )
Confidence: 99% confidence
Finding: result = subprocess.run( ["/bin/sh", "-c", cmd], capture_output=True, text=True, timeout=timeout )

Lp3

Medium

Category: MCP Least Privilege
Confidence: 95% confidence
Finding: The skill declares no permissions while its documented behavior requires broad capabilities including file access, shell execution, and network use. That mismatch removes an important transparency and consent boundary, making it easier for the skill to access sensitive local data and external services without users or policy layers understanding the true scope.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 97% confidence
Finding: The documented behavior goes beyond ecosystem diagnostics into reading historical session logs, inspecting workspace governance/config files, searching external services, and performing security assessment. This broader functionality materially changes the privacy and security posture of the skill, because users invoking a benign-sounding management tool may unknowingly expose conversation history and other sensitive context to analysis and networked workflows.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The manifest frames the skill as simple skill diagnostics, but the documentation says it analyzes conversation history and session logs to generate recommendations. That hidden expansion in data sources increases privacy risk because historical conversations can contain secrets, personal data, or confidential work context unrelated to skill management.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: Access to raw conversation/session history is broader than necessary for a skill-management function and creates a significant data-exposure surface. Even if intended for recommendations, inspecting full transcripts can reveal credentials, private discussions, security decisions, and other sensitive material that should not be processed unless strictly necessary and clearly authorized.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The recommendation flow collects and analyzes broad historical session content plus workspace files such as MEMORY.md, USER.md, and HEARTBEAT.md, which exceeds a narrow 'skill ecosystem diagnostics' function. Even if used locally, this creates unnecessary access to sensitive user context and broadens the data surface without clear need or explicit consent.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The code derives recommendations from user conversation content and sends derived queries to an external service via ClawHub search. This extends the skill from local diagnostics into outbound profiling/recommendation behavior, potentially disclosing user interests or work context to a third party.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The analyzer reads and aggregates broad content from memory stores, heartbeat/config files, and session logs to infer skill usage. Even if intended for diagnostics, this expands access to sensitive personal and conversational data beyond what is minimally necessary and creates privacy exposure if results are logged, displayed, or reused elsewhere.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: This explicitly invokes an external `mem0` helper script as part of the analysis pipeline. Because the script resides in a skill-controlled path, a malicious or compromised skill can abuse the analyzer as an execution primitive, making the surrounding skill ecosystem context more dangerous rather than safer.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: A reusable helper that can execute arbitrary shell commands is broader than this skill's stated purpose of scanning, analyzing, and optimizing skills. Even if not immediately called here, embedding such a primitive in utility code makes later misuse easy and can turn benign analysis features into host-command execution paths.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The README explicitly states that the skill analyzes conversation history, session logs, daily memory, and workspace files, but it does not clearly warn users that privacy-sensitive local data may be accessed and processed. In a skill-management context, this broad inspection of user content increases the risk of unexpected collection, disclosure, or overreach if users invoke the tool without informed consent.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: Broad trigger phrases like general skill-management language can cause the skill to activate in situations where the user did not intend a deep scan of files, logs, or networked resources. Because this skill has sensitive diagnostic behavior, overbroad activation increases the chance of unexpected access to local context and external lookups.

Vague Triggers

Medium

Confidence: 85% confidence
Finding: The trigger conditions are ambiguous and not clearly bounded to low-risk operations, which is problematic given the skill's access to logs, config files, and external package discovery. Ambiguous routing can lead to accidental execution of privacy-sensitive analysis during ordinary administrative conversations.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The code reads session logs and workspace configuration files and aggregates them for analysis without any visible user-facing notice or consent gate in this flow. Silent collection of historical conversations and notes is privacy-invasive and undermines user expectations about what the skill will inspect.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The function builds a shell command with direct string interpolation of the user-controlled query: `npx clawhub search "{query}" --limit {limit}`. If `run_cmd` invokes a shell, crafted input can break quoting and execute arbitrary commands on the host, turning a search feature into command injection.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The inspection path similarly interpolates `skill_name` into `npx clawhub inspect {skill_name} 2>&1` without escaping. A malicious skill name can inject additional shell syntax, leading to arbitrary command execution during a security-check operation where users may least expect it.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The file processes sensitive memory and conversation data without any visible user-facing notice, consent flow, or minimization controls in this implementation. In a skill-management context, users may not expect full-text scanning of logs and memories, increasing the risk of silent privacy invasion and downstream exposure of sensitive content.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The shell execution helper provides no user-facing disclosure, warning, or consent mechanism, so users of a 'diagnostics' skill may not realize it can run arbitrary shell commands on their machine. That mismatch increases social-engineering risk and reduces informed consent around potentially dangerous behavior.

Ssd 3

Medium

Confidence: 94% confidence
Finding: The function appends raw workspace file contents directly into the message corpus using a '[config]' prefix, increasing the chance that sensitive notes or configuration details influence generated recommendations or appear in downstream output. Aggregating broad user-authored content for natural-language reporting creates a real leakage channel even without explicit exfiltration code.

Ssd 3

Medium

Confidence: 91% confidence
Finding: The recommendation engine collapses all collected user text into a single corpus and uses it to drive matching and external recommendation/search behavior. This makes private historical inputs materially influence outputs and potentially external requests, creating a meaningful data leakage and profiling risk.

Ssd 3

Medium

Confidence: 88% confidence
Finding: Summary generation reuses collected historical messages and workspace configuration context to produce human-readable findings about user needs. Even if the current output is mostly aggregated, this design increases the risk of sensitive details being inferred, surfaced, or later expanded into direct leakage through summaries.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal