Sageox Distill

Security checks across malware telemetry and agentic risk

Overview

This skill appears designed for repository memory, but it needs Review because it can install a CLI and send repository/GitHub context to external services without clear up-front disclosure.

Review before installing. Use it only for repositories and GitHub data you are comfortable sending to SageOx and Claude/Anthropic-backed processing, inspect the installer/update script and ox CLI provenance, and prefer a test or non-sensitive repository until permissions, data handling, and persistence behavior are clear.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (3)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill clearly instructs the agent to execute multiple shell commands (`bash scripts/update-ox.sh`, `ox`, `gh`, `git`) but does not declare corresponding permissions. That creates a trust and review gap: users or the hosting platform may not realize the skill can execute local commands, access repo contents, or modify local state before approving it.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The declared description says the skill syncs, indexes, and distills repository activity, but the body also introduces a software installation and persistence flow for `ox`, including running an installer script, writing state under `~/.openclaw/memory`, and validating PATH/binary state on later runs. This behavior expansion is security-relevant because it causes network download, local binary installation, and persistent environment changes that a user would not reasonably infer from the description alone.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill sends repository context, GitHub PR/issues/comments, and team knowledge data to external services (`ox sync`, `ox index github`, and `ox distill` via Claude), but the description does not explicitly warn users that potentially sensitive project data will leave the local machine. In a repo-analysis skill, that omission materially increases privacy and confidentiality risk because users may run it on private or regulated codebases without informed consent.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal