openclaw-visual

Security checks across malware telemetry and agentic risk

Overview

The skill does what it advertises, but it may read private journals and OpenClaw chat history and turn them into shareable images without strong consent or redaction guidance.

Install only if you are comfortable with the skill accessing local PhoenixClaw journals and OpenClaw session history. Prefer giving it the exact text to render, confirm any file paths and date ranges before it scans local records, review images before sharing them, and avoid untrusted HTML or image URLs unless rendering is sandboxed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (4)

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The script renders fully user-influenced HTML in Playwright/node-html-to-image using browser engines without restricting external network access. Since template variables are inserted without escaping, an attacker who controls content can inject tags such as external images or CSS URLs, causing server-side requests during rendering and enabling SSRF, internal network probing, or unintended data egress. In the context of this skill, the stated purpose is offline visualization of provided content, so outbound fetching is unnecessary and increases risk.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill explicitly instructs the agent to read daily journals and scan chat/session records, then turn that content into shareable images for chat platforms, but it provides no privacy warning, consent check, or guidance to minimize sensitive data exposure. In this context, the omission is risky because journals and conversation histories commonly contain personal, confidential, or third-party information, and the generated image format encourages redistribution.

Missing User Warnings

Low

Confidence: 87% confidence
Finding: The skill writes generated images to a local output path and then sends them onward, but it does not clearly disclose that copies of potentially sensitive content will be stored on disk. This creates residual data exposure risk because images derived from journals or chats may remain in predictable directories, accessible to other local users, backups, or later processes.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The document explicitly states that the skill may scan `~/.openclaw/sessions/*.jsonl` to summarize chats, but it does not require clear user notice or consent before accessing local conversation history. In an agent environment, this creates a privacy and data-minimization risk because a vague request like '总结今天的对话' could lead to reading sensitive local data the user did not realize would be accessed.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal