Build Discipline

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only habit-coaching skill with disclosed local habit tracking and no executable or network behavior.

Safe to install as a local discipline coach. Before using it heavily, decide what personal habit or health-adjacent details you are comfortable tracking, and check how your OpenClaw environment lets you view or delete stored commitments and streak history.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The trigger phrases are broad, natural-language phrases that can easily appear in ordinary conversation, increasing the chance the skill activates unintentionally. Because this skill proposes storing commitments and reminders, accidental invocation could capture personal habit data or alter user workflows when the user did not intend to use this skill.

Shadow Command Trigger

Medium

Category: Trigger Abuse
Confidence: 91% confidence
Finding: The trigger 'build discipline' begins with the built-in command word 'build', creating a shadowing/conflict risk where this skill may intercept or be confused with native build-related functionality. This can lead to command hijacking, unexpected routing, or user confusion, especially in environments where built-in commands are trusted or have elevated capabilities.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal