Back to skill

Security audit

Agent Deploy

Security checks across malware telemetry and agentic risk

Overview

The skill mostly performs the advertised agent deployment work, but it automatically spreads existing auth profiles to new Telegram agents and handles sensitive tokens with too little user control.

Install only if you are comfortable with newly deployed Telegram agents inheriting existing OpenClaw auth profiles. Use dedicated least-privilege credentials, avoid exposing bot tokens in chat or logs, review the generated auth-profiles.json for the new agent, and manually clean up copied credentials or workspaces when removing an agent.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (11)

Context-Inappropriate Capability

Medium
Confidence
81% confidence
Finding
The troubleshooting section expands the skill from deploy/list/remove into log inspection and service management. Those actions can reveal operational details from logs and allow disruption or broader system changes via service restart, which exceeds the stated operational scope.

Description-Behavior Mismatch

Medium
Confidence
78% confidence
Finding
The skill claims to rely on safe config updates with validation and rollback, but later instructs a manual service restart. That inconsistency can mislead users and reviewers into believing operations are non-disruptive, when in fact the skill includes a potentially availability-impacting action outside the rollback guarantees.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The script advertises deployment of an isolated agent with its own session storage, but it only creates a workspace and modifies config entries. If operators rely on this claim, the new agent may share session/state with other agents or use default global storage, undermining isolation guarantees and potentially exposing conversations, credentials, or cross-agent state.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The script prints that the new agent has restrictive sandbox settings and denied gateway access, but it never writes those controls into configuration. This creates a dangerous mismatch between operator expectations and actual runtime behavior: a newly deployed agent may run with broader permissions than advertised, enabling unintended tool or workspace access.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The merge-auth action copies authentication profiles from global and main-agent stores into a newly deployed agent, materially expanding the helper from configuration generation into credential propagation. In this deployment context, that is dangerous because a freshly created agent can inherit secrets and authenticated access it may not need, violating least privilege and increasing blast radius if the new agent is compromised or misrouted.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The module presents itself as doing pre-flight checks and config generation, but it also lists token-derived data and writes per-agent auth files. That mismatch is security-relevant because operators and higher-level tooling may grant or invoke it under an incomplete trust model, causing unexpected secret access and persistence.

Missing User Warnings

High
Confidence
95% confidence
Finding
The skill allows agent removal through a destructive script without requiring an explicit confirmation step or warning about consequences. This makes accidental or socially engineered deletion of agents and associated Telegram accounts/configuration much more likely, especially in conversational contexts where intent can be ambiguous.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script writes merged authentication profiles directly to disk without an interactive warning, explicit confirmation, or visible policy gate. In an agent-deployment skill, silent secret propagation can cause operators to unintentionally clone credentials into new agent contexts, increasing lateral movement opportunities and making credential exposure harder to track.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script performs destructive configuration changes that remove an agent from the active agent list, bindings, and Telegram accounts without any interactive confirmation or secondary safeguard. In an agent skill context, where actions may be triggered by natural-language requests or automation, lack of confirmation increases the risk of accidental or unauthorized deletion of live routing/configuration state.

Ssd 3

Medium
Confidence
93% confidence
Finding
The list command reveals prefixes of every configured bot token, creating plaintext-derived secret exposure in routine output. Even partial token disclosure can aid correlation, accidental logging, operator shoulder-surfing, and chaining with other leaks, especially in a multi-agent deployment tool that aggregates credentials for many bots.

Ssd 3

Medium
Confidence
84% confidence
Finding
During auth merging, the script prints profile identifiers as it imports them from global and main stores. While not always direct secrets, these identifiers can reveal providers, account structure, and which credentials are available to the new agent, providing useful reconnaissance and increasing the sensitivity of logs around credential propagation.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.