Coding Plan Assistant

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly purpose-aligned, but it saves API keys as plaintext while presenting that storage as secure.

Install only if you are comfortable with coding-assistant API keys being saved as plaintext in `.openclaw/.env` inside the workspace. Add that path to `.gitignore`, restrict file permissions, avoid production or high-value keys, and rotate any key that may have been exposed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (10)

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The manifest description is overly generic and does not disclose that the skill registers services, stores API keys, checks credential status, and rotates secrets. When a skill manages credentials but presents itself only as a generic planning assistant, users may invoke it without informed consent about sensitive operations.

Context-Inappropriate Capability

Medium

Confidence: 87% confidence
Finding: The documented credential storage requirements and secret-format guidance add a sensitive secret-management role that is broader than a typical coding-plan assistant. This mismatch increases the chance that the skill will be trusted for benign planning while actually being used to collect, persist, and manipulate provider credentials.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: A documented `rotate-key.js` script gives the skill active secret-rotation capability, which goes beyond passive planning or informational assistance. Secret rotation can disrupt accounts, replace working credentials, or be abused to lock users out or alter integrations if invoked unexpectedly.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The skill reads from and writes API credentials to a local .openclaw/.env file, but the disclosed description does not make that sensitive behavior clear. Users may invoke a seemingly harmless 'coding plan assistant' without realizing it accesses and persists secrets, which undermines informed consent and safe review.

Context-Inappropriate Capability

Medium

Confidence: 84% confidence
Finding: The code implements direct credential retrieval from a shared .env file, which is a sensitive capability beyond a simple planning or comparison assistant. Even if intended for convenience, collecting and exposing credential state increases the attack surface and can normalize secret handling in a low-trust assistant context.

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: The skill tells users their API key will be 'securely stored', but saveCredential writes it in plaintext to .openclaw/.env. This is dangerous because local plaintext secrets are easily exposed through file reads, backups, logs, repo inclusion, or other skills/processes running in the same workspace.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger phrases are broad, ordinary-language requests such as asking which assistants are supported or whether an API key is configured. In an agent environment, overly generic activation cues can cause the skill to engage unexpectedly during unrelated conversation and steer users into credential-handling flows without clear intent boundaries.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The README encourages users to provide API keys and says they will be stored in `.openclaw/.env`, but it does not explain the trust boundary, who can read that file, or the risks of sharing secrets with the skill runtime. This can mislead users into disclosing high-value credentials without understanding local compromise, multi-user access, backups, logs, or downstream agent/plugin exposure.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The trigger examples are broad natural-language phrases such as configuring providers or rotating API keys, without strong activation boundaries or safety checks. In a credential-managing context, vague triggers increase the chance of unintended invocation of sensitive actions like checking, storing, or changing secrets.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill persists API keys to a local .env file without an explicit warning that the secret will remain on disk and may be accessible to other tools, users, or future sessions. Users may provide credentials expecting ephemeral use, creating an avoidable secret exposure risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal