oh my skill, make skill easy!

Security checks across malware telemetry and agentic risk

Overview

This skill openly helps turn completed conversations into reusable skill files, but users should review what gets saved because it can preserve session details.

Install only if you are comfortable with an agent offering to turn completed conversations into persistent skills. Avoid using it on highly sensitive sessions, review the cleaned session and generated SKILL.md before relying on it, and narrow any overly broad trigger descriptions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (9)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 95% confidence
Finding: The skill clearly instructs reading prior session content, invoking a masking script on transcript text, and saving generated artifacts under the user's skills directory, but it does not declare corresponding read/write permissions. This creates hidden capability expansion: operators may believe the skill is metadata-only while it can access conversation-derived content and persist files to disk.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 96% confidence
Finding: The declared purpose is workflow capture, but the instructions add a broader transcript-processing/redaction pipeline that can ingest whole session text, transform it, and write sanitized outputs. That mismatch is dangerous because reviewers and users may not realize the skill performs secondary data handling on potentially sensitive conversation content.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The skill encourages proactive triggering even when the user did not request persistence, then processes full session content with only a warning and customizable masking guidance. This increases the chance that sensitive session data is captured or summarized without informed consent, especially because desensitization is optional/tunable rather than enforced and validated.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: Extracting and transforming entire session transcripts is broader than necessary for saving a reusable workflow, violating data minimization principles. The broader the captured context, the more likely secrets, personal data, or unrelated project details are retained in generated skills or intermediate files.

Vague Triggers

High

Confidence: 90% confidence
Finding: The trigger guidance is so broad that the skill may activate after many ordinary multi-step tasks, leading to frequent unsolicited attempts to inspect and persist workflow/session information. Broad auto-invocation increases the attack surface for inadvertent collection, overreach, and user confusion about when files will be created.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: Telling future generated skills to be 'pushy' about trigger phrases encourages overbroad activation logic and repeated unsolicited engagement. This compounds the persistence risk by creating descendant skills that are also more likely to trigger on vague contexts and process data outside clear user intent.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill instructs writing files into the user's skills directory as part of normal operation, but the up-front description emphasizes automation and proactive use rather than explicit disclosure of file creation. Users may not understand that invoking or accepting the workflow will persist artifacts on disk, including potentially derived content from prior sessions.

Session Persistence

Medium

Category: Rogue Agent
Content: --- name: oh-my-skill description: Automatically generate and save a reusable skill after AI agent successfully completes a complex task involving 5 or more tool calls. Use this skill whenever a multi-step workflow has just been completed successfully — such as document creation pipelines, data transformation flows, research-and-write tasks, multi-file editing workflows, or any agentic sequence that involved planning, tool use, and structured output. Trigger this skill proactively at the end of complex task completions even if the user hasn't asked for it, offering to save the workflow as a reusable skill. Also trigger when users say things like "save this as a skill", "make this repeatable", "turn this into a skill" or "oh-my-skill". metadata: openclaw: requires:
Confidence: 95% confidence
Finding: write tasks, multi-file editing workflows, or any agentic sequence that involved planning, tool use, and structured output. Trigger this skill proactively at the end of complex task completions even i

Session Persistence

Medium

Category: Rogue Agent
Content: ### Step 2: Draft the Skill Write a `SKILL.md` with: ``` ---
Confidence: 91% confidence
Finding: Write a `SKILL.md` with: ``` --- name: <kebab-case-name> description: <What it does, when to trigger. Be specific and "pushy" — list all the user phrases and contexts that should trigger this skill.>

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal