Back to skill

Security audit

Skillcraft

Security checks across malware telemetry and agentic risk

Overview

Skillcraft is an instruction-only skill for helping users design OpenClaw skills, and its powerful examples are disclosed and aligned with that purpose.

Treat this as a skill-building assistant. Review any skills it helps create before installing or publishing them, especially if they add scheduled jobs, local command execution, browser-authenticated sessions, API tokens, downloaded installers, persistent memory, or background subagents; require clear approval, least-privilege credentials, dry runs, and logs for those cases.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This pattern combines scheduled triggers with local command execution and authenticated dashboard access, which can lead to impactful operations running automatically without contemporaneous user awareness or approval. In a skill-building context, this is more dangerous because readers may reuse the pattern as a blueprint for autonomous tasks that execute commands or access sensitive resources on a recurring basis.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.