Openclaw Self Improve

Security checks across malware telemetry and agentic risk

Overview

The skill appears to provide UX or improvement playbook guidance, with a privacy best-practice gap but no evidence of hidden execution, data exfiltration, or destructive behavior.

Before using the UX feedback or usability-testing guidance, make sure participants know what is being collected, why it is collected, where it will be stored, and how long it will be kept. Avoid sensitive personal data unless strictly necessary.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 79% confidence
Finding: The UX playbook recommends collecting user feedback and running usability tests on users, but it does not mention consent, notice, data minimization, or handling of any personal data that may be gathered. In a self-improvement workflow, operators may copy these examples directly into real processes, creating privacy/compliance risk and unsafe collection practices even if the document is only guidance.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal