Ai Plan Generator

Security checks across malware telemetry and agentic risk

Overview

The skill mostly looks like a planning/document generation tool, but it appears to read an unrelated hard-coded local security-audit file and write files without clear path limits.

Install only if you are comfortable with a local tool that reads and writes files. Before use, review or patch the code so all inputs are explicitly provided, remove hard-coded /Users/admin/.openclaw/workspace access, and run it only in a confined project directory with a dedicated output folder.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 80% confidence
Finding: The skill advertises itself as user-invocable and declares no permissions, yet its documented behavior clearly involves reading inputs and writing multiple artifacts to disk. That mismatch weakens user consent and sandbox expectations: a caller may invoke the skill believing it is non-persistent or low-privilege when it can access and modify local files.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 96% confidence
Finding: This is a substantive description-behavior mismatch: the analyzed behavior includes parsing a hard-coded security audit file, generating security-fix tasks from it, and using hard-coded workspace paths under /Users/admin/.openclaw/workspace for reads and writes. Hard-coded external paths can cause unintended disclosure of sensitive audit data, cross-project data leakage, and writes outside the user-expected scope, especially because none of this is transparently disclosed in the skill description.

Description-Behavior Mismatch

Medium

Confidence: 98% confidence
Finding: The code reads a hard-coded security audit file from an absolute path outside the supplied analysis directory, which violates the skill's stated contract of generating plans from provided Code Archaeology inputs. This expands data access scope to unrelated local workspace content and can unintentionally ingest sensitive information into generated outputs.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The skill performs local security-audit ingestion from a fixed workspace path unrelated to its documented purpose, creating hidden capability beyond normal plan generation. In an agent setting, this kind of undeclared file access is risky because it may pull sensitive findings or secrets from the host environment into downstream task plans.

Missing User Warnings

Low

Confidence: 76% confidence
Finding: The workflow examples and directory tree show that the skill creates numerous files and directories, but the description does not clearly warn users about disk writes. In isolation this is a transparency and consent issue rather than a severe exploit, but in an agent setting it increases the risk of unexpected filesystem modification and clutter or overwrite of project artifacts.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: Reading a user-specific file from /Users/admin/.openclaw/workspace without disclosure is a privacy and boundary violation. In a shared or agent-run environment, this can expose local security-audit content that the caller did not intend to provide, and the extracted details are later incorporated into generated artifacts.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: This code writes multiple files to a caller-controlled outputDir using synchronous filesystem operations without validating or constraining the destination path. If an untrusted caller can influence outputDir, the skill could overwrite files in unintended locations, create artifacts outside the expected workspace, or be abused for path traversal style file writes; in an agent setting, silent disk writes are more dangerous because they can modify the host/project state without explicit user awareness.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The archaeology-based path has the same unsafe pattern: it creates directories and writes several files to a user-influenced outputDir with no validation, sandboxing, or confirmation. This route may be slightly more sensitive because it also derives content from an external archaeology directory, so an agent could be induced to materialize attacker-influenced content into arbitrary filesystem locations.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal