Back to skill

Security audit

Pixcake Skills

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent PixCake desktop integration, but its setup can install mcporter globally and persistently update OpenClaw MCP configuration.

Install this only if you use PixCake and are comfortable with a setup script that may install mcporter globally via npm and write an OpenClaw MCP config entry. Run the check-only mode first, review the discovered pixcake-mcp path, and avoid running setup if you do not want persistent MCP configuration changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
These instructions direct the agent to execute local shell and PowerShell commands that inspect running processes, rename files, run setup scripts, and potentially launch an application. Even if intended for legitimate onboarding, this creates a direct pathway for filesystem changes and script execution on the host, which is risky in a skill that users may invoke for ordinary application tasks rather than system administration.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The setup script installs a global npm package (`mcporter`) and modifies user environment state as part of normal execution, which exceeds the skill's stated PixCake client operation scope. Even if intended for convenience, silent system-wide installation increases supply-chain and integrity risk because it executes external package manager operations and changes the host outside the immediate PixCake task domain.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script writes `~/.openclaw/workspace/config/mcporter.json` and inserts or overwrites the `mcpServers.pixcake` entry without prompting, thereby altering persistent user configuration. This is security-relevant because it can redirect future tool invocations to a discovered executable path and changes agent/runtime behavior beyond the manifest's described end-user capabilities.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The manifest explicitly directs the agent to write ~/.openclaw/workspace/config/mcporter.json in the user's home directory as part of path resolution, but it provides no requirement for user consent, no warning about persistence, and no constraints on what may be written. Persistently modifying files under the home directory can change future tool behavior across sessions and creates a trust boundary issue if the written config is influenced by discovered paths or environment state.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document instructs users to run setup scripts that may globally install `mcporter` via `npm install -g` and modify `~/.openclaw/workspace/config/mcporter.json`, but it does not clearly warn that these actions change the host environment. In a security-sensitive agent skill, silent package installation and config mutation increase supply-chain and persistence risk, especially because the commands are presented as routine setup steps.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The guidance tells users to rename and execute a PowerShell setup script without clearly disclosing that running it can alter the system state. While renaming itself is minor, the combination of enabling execution of a script and then proceeding to run setup commands can normalize unsafe execution of unreviewed scripts.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script performs sensitive side effects—global npm installation and subsequent persistent configuration changes—without any interactive confirmation or dry-run default. This is dangerous because users may run the setup expecting simple PixCake enablement, but instead the script mutates system state and trusts external package installation automatically.

VirusTotal

37/37 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.