DataGuard DLP

Security checks across malware telemetry and agentic risk

Overview

This appears to be a local DLP tool rather than malware, but its security-control claims and sensitive local logging need careful review before relying on it.

Install only after confirming hook support in your OpenClaw environment and testing that blocks actually occur. Keep the skill directory permissions restricted, review or clear logs/context files regularly, avoid entering real secrets in false-positive reports or override reasons, and treat the emergency override behavior as unclear until verified in a sandbox.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (11)

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The README prominently claims active runtime interception and blocking, but the implementation status later states the current version only provides voluntary/manual behavior. This creates a dangerous false sense of protection: operators may rely on the skill to prevent exfiltration when no actual enforcement exists, increasing the chance that secrets or PII are transmitted without controls.

Intent-Code Divergence

High

Confidence: 97% confidence
Finding: This section documents a tool execution flow and pre-hook interception model as if it is an operational control, while the same README states hooks are only planned. Presenting aspirational security controls as current implementation can mislead users into underestimating exfiltration risk and skipping other safeguards.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The documentation states there is no disable switch, yet an emergency override effectively disables core protections by auto-granting blocked actions for five minutes. This contradiction can mislead users about the actual security posture and creates a bypass path that an attacker or pressured operator could abuse during an exfiltration attempt.

Intent-Code Divergence

Medium

Confidence: 84% confidence
Finding: The note says hooks do not read file contents for upload scanning, but elsewhere the documentation says outbound bodies and messages are extracted and scanned. This inconsistency can cause users to misjudge what data the skill inspects and whether sensitive content is being processed or retained.

Intent-Code Divergence

High

Confidence: 96% confidence
Finding: The rules require explicit user approval for blocked actions, but the emergency override says approvals are auto-granted. That undermines the central human-in-the-loop control and turns a documented safeguard into an optional control that can be silently bypassed during the override window.

Vague Triggers

Medium

Confidence: 79% confidence
Finding: The activation model is ambiguous: some protections depend on hooks, while others require manual agent calls and opt-in context tracking. Security features that are optional or unclearly triggered are easy to assume are active when they are not, leading to protection gaps and false assurance.

Missing User Warnings

High

Confidence: 91% confidence
Finding: The emergency override is described with weak cautioning despite materially reducing exfiltration protections for a five-minute window. Users may invoke it under routine operational pressure without understanding that sensitive outbound transfers may then be auto-approved.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The script persistently records sensitive metadata about blocked events, including tool names, domains, matched patterns, scores, and optionally a data preview to disk. In a DLP context, those logs can themselves become a secondary data exposure source if local permissions, backups, exports, or support collection processes expose them, and the preview-redaction logic still retains the first four characters of potentially sensitive data.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The script persists a history of sensitive file-read events to a local JSON file under the skill directory, which can reveal what sensitive resources a user or agent accessed and when. Even though it does not store file contents, this metadata is itself sensitive and can be exposed to other local users, later tool invocations, backups, or logs without any explicit user notice or retention controls.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The script persists user-supplied patterns and descriptions directly to both a JSON file and a log file, but it does not warn users that the submitted text may itself contain credentials, secrets, internal hostnames, or other sensitive identifiers. In a DLP-related skill, users are especially likely to paste sensitive strings that were flagged, so storing them on disk and in logs can create a secondary data exposure path and weaken the plugin's privacy goals.

Ssd 3

Medium

Confidence: 90% confidence
Finding: The skill instructs logging of sensitive file reads and showing or recording exact outbound data, even if truncated or redacted. This creates secondary data exposure and retention risk because the DLP system itself can become a repository of sensitive metadata or snippets that attackers, users, or later processes may access.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal