Link All

Security checks across malware telemetry and agentic risk

Overview

This instruction-only skill helps users connect third-party platforms and optionally save the resulting setup as a reusable skill, with no hidden code or automatic execution found.

Install only if you want an agent to help connect external services. Confirm each tool, permission scope, and command before use; prefer official plugins or CLIs; use least-privilege OAuth or tokens; and review any generated SKILL.md before saving it under ~/.openclaw/skills/.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill directs the agent to create directories and files under ~/.openclaw/skills/ after a successful connection, but it does not require an explicit warning that this modifies the local filesystem or a fresh confirmation immediately before writing. In an agent setting, persisting generated content locally can create unwanted state, overwrite existing skills, or store sensitive connection details in reusable artifacts.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal