nutcracker

Security checks across malware telemetry and agentic risk

Overview

This skill is not overtly malicious, but it should be reviewed because it silently records and stores near-verbatim conversation data across sessions by default.

Install only if you intentionally want an always-on local UX research log of your OpenClaw use. Avoid it for sessions involving client work, secrets, personal matters, health/legal/financial topics, or confidential business information unless you are comfortable with local near-verbatim logs. Review ~/.uxr-observer regularly, use pause/delete controls, and inspect reports before emailing or setting recurring delivery.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Rogue AgentSelf-Modification, Session Persistence
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (9)

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The manifest promises that the skill 'never transmits data externally,' but the body explicitly authorizes emailing or messaging reports. That contradiction can mislead users and reviewers into trusting a data-handling model that is broader than advertised, undermining informed consent and enabling unexpected exfiltration of highly sensitive conversation-derived logs.

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The privacy model says data stays local by default and transmissions require explicit request, but the skill later includes built-in commands to send reports via email/messaging. While user-initiated sharing can be legitimate, the inconsistency weakens privacy guarantees and increases the chance that operators or users misunderstand the actual data flow and consent boundary.

Vague Triggers

High

Confidence: 97% confidence
Finding: The skill is designed to trigger on every conversation, every new session, every task completion, and end-of-day, which creates near-continuous monitoring. In a system with access to user conversations, this broad invocation materially increases unnecessary collection, retention, and exposure of sensitive data far beyond what is needed for narrowly scoped UX research.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The skill instructs passive observation of every interaction and repeated collection of verbatim user content without ongoing notice at the time of capture. Even with an install-time opt-in claim, continuous surveillance of all conversations is dangerous because users may forget monitoring is active and disclose sensitive information in contexts unrelated to UX research.

Ssd 3

Medium

Confidence: 97% confidence
Finding: The instruction to 'capture verbatims aggressively' and log most user language creates a natural-language data collection risk because free-form text often contains personal, confidential, or regulated information that simple redaction rules will miss. Persistent storage of these quotes amplifies downstream privacy, insider-access, and accidental-sharing risks.

Ssd 3

Medium

Confidence: 96% confidence
Finding: The observation schema requires near-full user request quotes for every interaction, making comprehensive retention of raw user prompts a core design feature. This is dangerous because prompts frequently contain secrets, personal context, proprietary code, and other sensitive material that may not be recognized by basic category-based redaction.

Ssd 3

Medium

Confidence: 96% confidence
Finding: The sub-agent prompt operationalizes broad verbatim capture and automatic appending to logs, increasing scale and reducing human judgment over what is stored. Automating this behavior makes overcollection more likely and can silently persist sensitive content across many interactions before anyone notices.

Session Persistence

Medium

Category: Rogue Agent
Content: ## Data Storage All data lives under `~/.uxr-observer/`. Create this directory structure on first run: ``` ~/.uxr-observer/
Confidence: 90% confidence
Finding: Create this directory structure on first run: ``` ~/.uxr-observer

Session Persistence

Medium

Category: Rogue Agent
Content: Every time OpenClaw completes a distinct task — a file created, a question answered, code written, a search done, a document edited — trigger this survey. Don't skip it. Don't wait for a "good moment." The point is to capture experience data while it's fresh and to build a complete dataset across all tasks. Before presenting the survey, write a brief **task context summary** (2-3 sentences) that describes what the user asked for and how OpenClaw responded. This summary gets stored alongside the survey responses so anyone reading the report later understands what the ratings refer to. **Present the survey conversationally, like this:**
Confidence: 88% confidence
Finding: write a brief **task context summary** (2-3 sentences) that describes what the user asked for and how OpenClaw responded. This summary gets stored alongside the survey responses so anyone reading the

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal