local-config-model-recommender

Security checks across malware telemetry and agentic risk

Overview

This skill is a simple model-recommendation guide that reads local OpenCLAW model configuration, with no evidence of hidden execution, persistence, or data exfiltration.

Install only if you are comfortable with the agent reading your local OpenCLAW configuration to identify available model IDs. Avoid asking it to print or share the full configuration, especially if that file contains endpoints, provider details, tokens, or other sensitive settings.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 91% confidence
Finding: The skill explicitly states it will read the user's local OpenCLAW configuration, which is local data access, but it does not clearly warn about that access, what file is read, or what information may be exposed through recommendations. This creates a transparency and consent issue: users may invoke the skill without realizing it inspects local configuration that can reveal provider choices, model inventory, and potentially sensitive configuration structure.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal