Permission Manager

Security checks across malware telemetry and agentic risk

Overview

This skill openly manages OpenClaw approval settings, but it can persistently weaken or disable command approvals with broad triggers and no enforced confirmation in the helper script.

Install only if you intentionally want a skill that can change OpenClaw command-approval policy. Prefer default or strict mode, avoid no-approval except temporarily in an isolated trusted environment, and manually back up or verify ~/.openclaw/openclaw.json before using it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (9)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 95% confidence
Finding: The skill invokes shell commands and reads/writes persistent configuration files, but it does not declare any permissions or capability boundaries. That mismatch can prevent proper user review and policy enforcement, which is especially risky here because the skill changes execution approval settings and can reduce or disable safeguards.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The skill states that disabling approvals must only occur after explicit human consent, but its own example performs the switch immediately after a simple request. This inconsistency trains or encourages agents to bypass the confirmation step for a high-risk action, making accidental or socially engineered approval disabling more likely.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The activation phrases include very broad commands such as '完整权限', '免审批模式', and especially '关闭所有审批', which can plausibly appear in ordinary discussion and be interpreted as an instruction to change the agent's approval policy. In a skill that directly alters security controls, ambiguous triggers materially increase the chance of accidental privilege reduction or unintended disabling of approval safeguards.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The README advertises a no-approval mode ('免审批模式', '关闭所有审批') directly in the usage examples without an immediate inline warning, friction, or confirmation requirement at the point of invocation. Because this skill manages approval/security settings, normalizing a one-step path to disable approvals can lead users to unintentionally place the agent into a high-risk state where sensitive or destructive actions execute without review.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: Phrases like '给我完整权限' or '切换到开发模式' are broad and can overlap with ordinary conversational requests about capability rather than an actual intent to reconfigure execution policy. In a skill that changes security posture, ambiguous triggers can cause unintended elevation from allowlist to full execution.

Vague Triggers

High

Confidence: 97% confidence
Finding: Broad phrases such as '关闭所有审批' or '切换到便利模式' can be triggered by ordinary discussion, paraphrase, or prompt injection, yet they map to the most dangerous state: full execution with approvals off. Because this disables the primary safety control for command execution, a mistaken match can immediately expose the environment to arbitrary command execution without human review.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The keyword-matching rules are underspecified and directly map loose language to sensitive configuration states without robust intent verification. In this skill's context, that makes unintended or manipulated mode switches more dangerous because the action changes the agent's global execution controls rather than a harmless local setting.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The description advertises rapid switching between whitelist, full-permission, and no-approval modes without any stated trigger constraints, scope limits, or authorization requirements. In a permission-management skill, broad activation language is especially risky because it suggests the skill could be invoked in ways that weaken or disable approval safeguards, increasing the chance of accidental or unauthorized privilege changes.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The skill directly rewrites the user's OpenClaw execution policy and supports modes like 'full' and especially 'no_approval', which disable or weaken approval controls without any confirmation, authorization check, backup, or rollback. In this skill context, that is especially dangerous because the entire purpose is to alter security boundaries, so a single invocation can silently reduce protections for all future command execution.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal