Security audit

OrgX

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed OrgX orchestration skill, but users should treat its memory sync, API key, and external plugin dependency as sensitive.

Install only if you trust OrgX and the external @useorgx/openclaw-plugin package. Review MEMORY.md, daily logs, and progress summaries before syncing, keep ORGX_API_KEY out of prompts and shared files, and explicitly confirm entity updates, cancellations, rollbacks, or checkpoint restores before allowing an agent to perform them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill explicitly instructs users to send 'Contents of MEMORY.md' and a daily session log to OrgX, which can include secrets, personal data, internal notes, or other sensitive context. Because this is an orchestration/reporting skill that encourages routine syncing, the context increases the likelihood of over-sharing to an external service without user awareness or minimization controls.

Missing User Warnings

Low

Confidence: 80% confidence
Finding: The documentation tells users to set ORGX_API_KEY in the environment but gives no guidance on secure credential handling, storage, rotation, or avoiding exposure in logs and shared shells. While this is common setup guidance, omission of even basic caution can lead to accidental credential leakage, especially in multi-agent or shared development environments.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal