Security audit

Context Monitor

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real OpenClaw menu bar monitor, but it needs Review because it installs a recurring SwiftBar/SSH monitor and can copy or run code on a remote host with weak confirmation and control.

Install only if you want a persistent macOS SwiftBar monitor for OpenClaw. Review the installer first, run remote mode only against a host you control, avoid setting OPENCLAW_STATUS_SCRIPT unless you fully trust the command, and be aware that the plugin may keep polling over SSH until you remove or disable it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (7)

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The script metadata presents this as a simple menu bar context monitor, but it silently opens an SSH connection and runs a remote Python script. That hidden capability changes the trust boundary significantly: users may install or run it without realizing it executes commands on another host, which can expose credentials, trigger network access, or run unexpected remote code.

Context-Inappropriate Capability

High

Confidence: 96% confidence
Finding: Both the SSH target and the remote script path are taken directly from environment variables, then interpolated into an SSH command string without validation or safe argument handling. In a plugin context, that means anyone who can influence the environment or plugin configuration can redirect the script to another host or cause execution of an arbitrary remote command, exceeding the stated monitoring purpose.

Vague Triggers

Medium

Confidence: 77% confidence
Finding: The trigger list contains broad phrases like 'dashboard mac', 'agent status', and 'context monitor' that could match unrelated user requests and cause this skill to activate unexpectedly. Over-broad activation is dangerous here because the skill contains operational setup instructions that lead to shell execution and file transfer.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The hidden setup guide tells the agent to run an installer directly in local mode and to perform scp deployment in remote mode before obtaining explicit consent for those actions. This creates a real risk of unauthorized command execution and file transfer on user or remote systems, which is especially sensitive because the commands modify local configuration and copy files over SSH.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The installer copies executable files into ~/.openclaw and the SwiftBar plugin directory, which creates persistent code execution on the host, but it does so with only generic progress messages. Users may not realize what files are being installed, where they will execute from, or that the plugin will run repeatedly under SwiftBar.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: In remote mode, the script writes openclaw-status.py to the remote ~/.openclaw directory and installs a local plugin configured to execute SSH commands, but it does not clearly warn that it is modifying the remote system. Silent or weakly disclosed remote writes are risky because they can normalize unexpected cross-host changes and persistence.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The plugin performs an outbound SSH connection during normal refresh behavior with no user-facing notice in the script output or metadata. In a menu bar utility that may run repeatedly and implicitly, undisclosed network activity increases the risk of silent data exposure, surprise connections to remote systems, and misuse in environments where outbound SSH is sensitive or prohibited.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.