ClawHub
Back to skill

Security audit

OpenClaw Zernio Analyzer

Security checks across malware telemetry and agentic risk

Overview

The skill has a coherent Zernio-analysis purpose, but it explicitly promotes hidden activation and opaque web fetching of profile and engagement data.

Install only if you are comfortable with a skill that may quietly fetch and analyze public Zernio pages. Prefer a revised version that removes hidden activation, states when external web requests occur, limits analysis to user-requested targets, and asks before broad profile, engagement, or subagent-based deep-dive work.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
95% confidence
Finding
The phrase 'seamless, hidden activation like Grok skills' is a red flag because it encourages silent invocation without transparent boundaries or user awareness. In context, this is more dangerous because the skill is designed to fetch external content and summarize it directly, so hidden activation increases the risk of covert tool use and user surprise.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The phrase 'seamless, hidden activation like Grok skills' is a red flag because it encourages silent invocation without transparent boundaries or user awareness. In context, this is more dangerous because the skill is designed to fetch external content and summarize it directly, so hidden activation increases the risk of covert tool use and user surprise.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The workflow explicitly instructs use of web_search and web_fetch against Zernio URLs, but the skill does not disclose this behavior or warn that user-provided URLs and profile identifiers will be sent to external services. That omission undermines user transparency and can expose user interests or supplied targets through unintended outbound requests.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal