Back to skill

Security audit

skill-guard

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a disclosed security installer, with a few shell-safety issues users should review before relying on it.

Install only if you are comfortable letting this skill run shell commands that stage, scan, and install other skills. Review safe-install.sh first, avoid --force unless you intend to replace an existing skill, and install uv through a trusted package manager or verified installer when possible.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill advertises and relies on shell-based installation commands, but the manifest shown does not declare any permissions or capability boundaries. That mismatch is risky because users and tooling cannot accurately assess what the skill may invoke, and security controls based on declared permissions may be bypassed or weakened.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
Documenting a force-overwrite option without an adjacent warning encourages destructive use and may lead users to replace existing skills or trusted content unintentionally. In a security-sensitive installer, normalizing overwrite behavior increases the chance of accidental integrity loss or unsafe upgrades.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script sources $HOME/.local/bin/env, which executes arbitrary shell code from a user-writable file during dependency checking. If that file is modified by malware or another local actor, running this installer will execute attacker-controlled commands before any scan occurs.

External Script Fetching

Low
Category
Supply Chain
Content
## Requirements

- `clawhub` CLI — `npm i -g clawhub`
- `uv` — `curl -LsSf https://astral.sh/uv/install.sh | sh`

## Why This Matters
Confidence
95% confidence
Finding
curl -LsSf https://astral.sh/uv/install.sh | sh

Tool Parameter Abuse

High
Category
Tool Misuse
Content
Skill stays in `/tmp/skill-guard-staging/skills/<slug>/` (quarantined). You can:
1. **Review** — read the scan output, inspect the files
2. **Install anyway** — `mv /tmp/skill-guard-staging/skills/<slug> ~/.openclaw/workspace/skills/`
3. **Discard** — `rm -rf /tmp/skill-guard-staging/`

## Requirements
Confidence
72% confidence
Finding
rm -rf /

Tool Parameter Abuse

High
Category
Tool Misuse
Content
Skill stays in `/tmp/skill-guard-staging/skills/<slug>/` (quarantined). You can:
1. **Review** — read the scan output, inspect the files
2. **Install anyway** — `mv /tmp/skill-guard-staging/skills/<slug> ~/.openclaw/workspace/skills/`
3. **Discard** — `rm -rf /tmp/skill-guard-staging/`

## Requirements
Confidence
72% confidence
Finding
rm -rf /tmp/skill-guard-staging/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.prompt_injection_instructions

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
SKILL.md:22