Dashboard Generator

Security checks across malware telemetry and agentic risk

Overview

This skill is coherent but should be reviewed because it serves private logs and ledger data through a persistent local HTTP dashboard without clear access controls.

Install only if you intend to expose these dashboards in your local OpenClaw environment. Before enabling it, confirm the server binds only to localhost or is otherwise access-controlled, review what appears in memory logs and ledger JSON, and make sure the cron/watchdog behavior is easy to disable.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill explicitly documents that it serves self-contained dashboards on port 8081 containing embedded daily logs, ledger entries, and token-usage data, but the description does not warn users that sensitive data will be exposed over HTTP. This creates a real risk of unintended information disclosure, especially because the memory dashboard embeds full log content and the expense dashboard exposes all ledger data in machine-readable form.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal