Agent Defibrillator

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do its stated watchdog job, but its installer can fetch unpinned remote code and run it as a persistent macOS background service.

Install only if you intentionally want a persistent macOS watchdog that can restart your OpenClaw gateway. Avoid the curl-to-bash path; review the files, install from a pinned commit or trusted release, and change the installer to use the bundled local defibrillator.sh or verify a checksum before launchd runs it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 86% confidence
Finding: The skill instructs the user to clone a repository and run shell scripts, but it does not declare any permissions or clearly surface that it performs shell-capable actions. This creates a transparency and trust problem: users may invoke the skill expecting documentation, while it actually drives installation and system-management behavior via shell commands.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The installer downloads a shell script from a remote GitHub URL at install time and places it into the user's executable scripts directory without any integrity verification such as a pinned hash or signature. This creates a supply-chain risk: if the remote content, repository, network path, or hosting account is compromised, the installed watchdog can be replaced with arbitrary code that will later run via launchd persistence.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The README explicitly recommends `curl ... | bash`, which executes remote code immediately without inspection, pinning, or integrity verification. In the context of an agent-oriented installation flow, this is especially dangerous because users or autonomous agents may run it non-interactively, giving a compromised GitHub account, modified branch, or network-layer content swap a direct path to code execution and persistence.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The agent-directed prompt tells an AI agent to clone a repo, run `install.sh`, and verify a launchd service, but it does not clearly warn that this will execute shell commands and install a persistent background service. Because this skill is explicitly designed for agent use, the omission materially increases the chance of users delegating privileged, persistent installation actions without informed consent or review.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The uninstall section contains irreversible deletion commands using rm, but it does not explicitly warn the user that files will be permanently removed. Even though the paths are specific, omission of a deletion warning increases the chance of accidental data loss or careless copy/paste execution.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal