Back to skill

Security audit

Meta Workflow Discoverer

Security checks across malware telemetry and agentic risk

Overview

This skill is not confirmed malware, but it needs review because it records workflow and conversation-derived patterns, stores them locally, and advertises cross-user sharing without clear privacy controls.

Install only if you are comfortable with workflow history, task context, and possibly conversation-derived intent being stored locally. Avoid using it with secrets, regulated data, private business processes, trading actions, or customer information unless you first add clear opt-in, redaction, retention/deletion controls, and manual approval before any generated automation is enabled, shared, scheduled, or run.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
82% confidence
Finding
The skill advertises and demonstrates behavior that observes user activity, imports history, and generates automations, yet it declares no explicit permissions while static analysis detected file read/write capabilities. This creates a trust and sandboxing gap: operators may approve the skill without understanding that it can access or persist user-derived data, increasing the risk of unauthorized collection, retention, or modification of workflow/history data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The feature list explicitly includes 'Cross-User Learning: Share across users' but the description provides no privacy warning, consent mechanism, or boundary on what user-derived patterns may be shared. Reusing behavioral patterns across users can leak sensitive business routines, contacts, schedules, or inferred habits even if raw content is not intentionally exposed.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The API exposes 'import_history(...)' and later examples show automatic observation of conversation intent and skill usage, but the skill description lacks clear notice that external history and user interactions may be logged and mined. This is dangerous because users may unknowingly provide sensitive content, operational data, or third-party information that becomes part of a long-lived automation dataset.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill persists raw task history, steps, and arbitrary context to a predictable local JSON file with no minimization, encryption, retention policy, or user-facing consent/warning. Because this skill is specifically designed to observe user behavior and collect workflow context, it is likely to store sensitive operational data, making confidentiality exposure more serious in context.

Ssd 3

Medium
Confidence
96% confidence
Finding
Cross-user learning/sharing is a substantive privacy and data-separation risk because it implies one user's derived behavior patterns may influence or be exposed to another user without defined isolation guarantees. In this skill's context, the danger is elevated because the product is specifically designed to mine recurring tasks, sequences, triggers, and context, which can reveal confidential workflows, schedules, and organizational processes.

Ssd 3

Medium
Confidence
95% confidence
Finding
The OpenClaw hook records extracted intent from messages and tools used in responses, creating a natural-language logging channel for arbitrary user-provided data. Because conversation content often contains secrets, personal data, internal requests, or regulated information, automatically converting it into task history materially increases surveillance, retention, and secondary-use risks, especially when combined with workflow discovery and automation generation.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.