Paperclip Orchestration

Security checks across malware telemetry and agentic risk

Overview

The skill is coherent for Paperclip onboarding, but it asks an agent to share broad OpenClaw access, approve device pairing, install follow-on skills, and persist API keys with too little user-control guidance.

Use this only with a Paperclip organization and base URL you trust. Before running it, explicitly approve sharing the OpenClaw gateway token and any device pairing, review any additional Paperclip skill before installation, and protect or rotate/delete the saved Paperclip API key file when it is no longer needed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill explicitly instructs claiming, storing, and later loading Paperclip API key material from a local file, but does not require secure secret storage, redaction, minimal retention, or a user warning about credential sensitivity. Persisting full claim responses locally increases the chance of credential exposure through backups, logs, workspace sharing, or later agent access.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal