Echo - OpenClaw Perplexity Ultimate Async Deep Researcher

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a Perplexity research helper with expected API use, but it may automatically install an unpinned Python dependency at runtime.

Install only if you are comfortable with your agent contacting Perplexity and possibly running pip to install an unpinned third-party Python package. Prefer reviewing the SKILL.md first, preinstalling or pinning the dependency yourself, and avoiding sensitive queries unless you intend to share them with the Perplexity API.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The skill instructs the agent to install a Python package at runtime, which changes the execution environment and introduces unpinned third-party code during normal use. This is dangerous because it expands the attack surface to package-supply-chain compromise and unexpected code execution beyond the declared research task.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill requires code execution that both installs software and sends queries to an external API, but it does not surface those actions to the user before they occur. That lack of transparency can cause unintended data disclosure and environment modification without informed consent.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal