Skillcraft

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only guide for building OpenClaw skills, and its powerful examples are disclosed and aligned with that purpose.

Installers should treat this as a skill-authoring assistant. Review any skills it helps create, especially ones that add scheduled jobs, local command execution, browser sessions, API tokens, downloads, or persistent memory, and require clear user approval and least-privilege scoping before enabling those capabilities.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The example explicitly combines local command execution, authenticated browser access, and API fetching in a scheduled workflow, but provides no mention of confirmation, scoping, credential handling, or least-privilege safeguards. In a skill-building context, this can normalize creation of automation that runs with broad system and account access, increasing the chance of unsafe or over-privileged skills being produced and deployed.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal