Back to skill

Security audit

city-life-copilot

Security checks across malware telemetry and agentic risk

Overview

This skill mostly does what it claims, but its installer and workflows give it broad local, network, browser, and persistent file powers without enough scoping or consent controls.

Review the installer before running it, preferably in a sandbox and without elevated privileges. Be careful with exact home, work, social-media, and accessibility details because the skill sends or embeds location-related data through external map, browser, and fetch providers and leaves reports in the local OpenClaw workspace. Verify housing and accessibility route recommendations independently before relying on them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill advertises and appears to require shell, network, and environment access, yet no permissions are declared in the manifest. That creates a transparency and consent gap: users and hosting platforms cannot accurately evaluate the risk before installation, while the documented install flow includes executing Node scripts and fetching external dependencies.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented behavior goes well beyond a city-life planning assistant: it includes installing global tools, cloning/downloading external content, invoking shell commands, and writing local artifacts. This mismatch is dangerous because users may trust the skill for benign route planning while it performs privileged system changes and pulls unreviewed third-party code or packages.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The workflow mandates autonomous opening of user-supplied third-party social links with `agent-browser`, specifically to bypass normal scraping limitations. This increases exposure to prompt injection, malicious web content, tracking, and unintended browsing actions without an explicit user confirmation or safety gate.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The accessibility mode instructs the agent to infer physical limitations from trigger words and proceed without clarification, while making consequential routing and transport decisions. That can mishandle sensitive health/disability-related context, produce unsafe travel guidance, and override user autonomy in a domain where incorrect assumptions can cause real-world harm.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The installer provisions browser automation and anti-crawl scraping components that materially expand the skill's capabilities beyond a normal city concierge. In this context, bundling `agent-browser` and an anti-crawl fetcher increases the attack surface and enables automated interaction and collection from third-party sites, which can be abused for unauthorized scraping or account/session misuse if the skill or its dependencies are compromised.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The script executes real shell commands via `execSync` and uses them to install packages and bootstrap tooling on the host. This is dangerous because installation sources and command strings are not strongly constrained or verified, so running the installer gives the skill broad system-level side effects and a path to arbitrary command execution if any input, source, or upstream package is malicious.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill explicitly processes user-supplied social-media links, extracts places, and sends data to external mapping and scraping services, yet it does not warn users about the privacy implications. This can expose sensitive browsing interests, precise location patterns, and potentially personal travel or housing intent to third-party services without informed consent.

Vague Triggers

Medium
Confidence
84% confidence
Finding
Broad trigger phrases like '周末去哪玩' or '想出去走走' can activate a mode that performs web scraping, itinerary generation, and file creation without sufficiently confirming user intent. In a tool-using agent, overly loose activation criteria can lead to unnecessary data access and actions the user did not clearly request.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The housing workflow auto-triggers broad neighborhood scans and commuting analysis '无需用户吩咐', which can cause unrequested enrichment on sensitive life-pattern data such as home and workplace locations. Automatic expansion of scope is risky because it can expose private inferences and perform more data processing than the user expected.

Vague Triggers

Medium
Confidence
90% confidence
Finding
Keyword-only activation for accessibility mode can misclassify ordinary conversation and trigger special handling based on inferred disability, age, pregnancy, or mobility needs. Because the mode changes routing behavior and assumptions, false activation can produce intrusive or inappropriate outputs and process sensitive attributes without confirmation.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The workflow requires writing generated HTML files to local workspace and returning the path, but it does not require notifying the user in advance that a persistent local file will be created. Silent local writes can surprise users, create privacy issues, and leave residual artifacts containing scraped content, locations, or sensitive travel details.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The global rules hard-code writing all outputs into a fixed local workspace path without any user warning or consent. This creates persistent side effects and a predictable storage location for potentially sensitive artifacts, increasing privacy and operational risk if the workspace is shared or later inspected.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/install.js:58

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/xiaohongshu-grabber.js:67