Secucheck

Security checks across malware telemetry and agentic risk

Overview

This security-audit skill is purpose-aligned overall, but it can automatically collect sensitive local details and publish the generated report on the local network with insufficient disclosure.

Install only if you are comfortable with a security tool inspecting OpenClaw configuration, agents, skills, runtime state, and network posture. Treat generated reports as sensitive. Avoid the dashboard on shared or untrusted networks unless it is changed to bind to localhost only, and review any requested remediation or gateway/cron changes before approving them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (29)

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The skill advertises itself as read-only and never auto-modifying, but later instructions include applying configuration changes after confirmation. Even with confirmation, this is a trust-boundary mismatch that can cause operators to approve installation or execution under false assumptions.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The document explicitly instructs the operator to run a live shell script to gather runtime state, which conflicts with the skill's stated read-only/localized-report behavior. In an agent-skill context, telling the system to execute a local script expands the trust boundary from passive analysis to active code execution, and if the script or invocation path is modified, this could lead to unintended command execution or side effects.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The script is presented as a read-only network audit, but it invokes `sudo` to query firewall state. Even though the subcommands are nominally read-only, this still triggers privileged execution and may cause password prompts, privilege-bound behavior, or unintended policy exposure in contexts where skills should not escalate privileges.

Description-Behavior Mismatch

Medium

Confidence: 98% confidence
Finding: The script invokes `openclaw security audit --deep`, which performs a live probe contrary to the skill description claiming a read-only audit. This can trigger network interaction, side effects, or user surprise, and it meaningfully expands the operational scope of the skill beyond passive reporting.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The script makes outbound requests to third-party services (`ifconfig.me` / `api.ipify.org`) to determine the external IP, which contradicts the stated read-only/localized behavior and discloses host metadata to external parties. Even though only the caller's IP is sent implicitly, this creates an unexpected network side effect, leaks environment information, and can violate privacy or restricted-network assumptions during an audit.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The script actively probes whether passwordless sudo is available by executing `sudo -n true`, which goes beyond passive inspection and tests privileged execution capability. In a tool described as read-only, this is an unnecessary privilege interaction that may trigger security monitoring, normalize privilege probing, and expand operational risk in sensitive environments.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The script contradicts the stated read-only/localized reporting model by launching an HTTP server that exposes the generated report over the network. Because it serves from a workspace directory and binds externally, audit output may become accessible to other hosts on the network, which is risky if reports contain sensitive security findings, host details, or file paths.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: Binding python's HTTP server to 0.0.0.0 makes the report reachable on all network interfaces, not just localhost. In the context of a security-audit skill, reports may contain sensitive operational data, so unnecessary network exposure materially increases the chance of unauthorized access from other local-network or bridged-network peers.

Intent-Code Divergence

Low

Confidence: 82% confidence
Finding: The code gathers a local IP and presents the report as if it were a local convenience feature, but the actual server binds to every interface. This mismatch can mislead users about the exposure boundary and reduce informed consent, making accidental disclosure of the report more likely.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The template explicitly instructs running `bash ~/.openclaw/skills/secucheck/scripts/serve_dashboard.sh` after generating the report, which turns a nominally read-only reporting skill into one that launches a local process. That creates an execution surface and could be abused if the referenced script is modified, replaced, or behaves unexpectedly, especially because users may trust the template and run it automatically.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The footer invites the user to request that the skill apply fixes (e.g. 'Apply recommended fix') even though the skill is described as read-only. This creates a capability mismatch that can mislead users and downstream agents into performing state-changing actions under the guise of a safe audit workflow.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The template tells users to say "고쳐줘" and promises that the skill can safely fix issues, which conflicts with the stated read-only audit scope. This can mislead users and downstream agents into attempting unauthorized or unsafe state-changing actions outside the documented permission model.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The critical-issues example explicitly says the user can ask the skill to fix problems one by one, despite the skill being described as read-only. In a security context, overstating write capabilities can cause users to trust destructive changes or trigger remediation flows that bypass intended separation between auditing and modification.

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: The quick action phrase documents "고쳐줘" / "수정해줘" as starting a remediation flow, which contradicts the read-only positioning of the skill. This creates an unsafe contract mismatch: other components or users may reasonably assume the skill is allowed to make changes when it should only report findings.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The trigger phrase "audit my setup" is broad and likely to collide with ordinary user requests that are not intended to invoke this specific skill. In an agent ecosystem, overly generic invocation phrases can cause unintended activation, which may expose environment details, consume privileges, or interfere with normal task routing.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The auto-review behavior is described in broad terms for installing skills and modifying agents or cron jobs, but does not define scope, consent boundaries, or exact triggering conditions. Ambiguous automatic activation increases the chance of surprise execution and can create unintended analysis chaining during sensitive workflows.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: Very broad trigger phrases like 'security audit' or 'run security check' increase the chance of accidental invocation in ordinary conversation or unrelated contexts. Because this skill can execute shell scripts and start a dashboard server, unintended activation has meaningful security and privacy consequences.

Vague Triggers

High

Confidence: 95% confidence
Finding: The auto-trigger rules cover common operational events like installing skills or modifying agents/cron jobs, which can cause this skill to run without a targeted user request. In this skill's context, that means surprise shell execution, environment inspection, and possible network exposure at moments when sensitive configuration is changing.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The instructions say to automatically generate, serve, and possibly open a dashboard URL without requiring a user warning or consent. That can expose potentially sensitive audit results to other devices on the network and may launch browser actions the user did not authorize.

Vague Triggers

High

Confidence: 95% confidence
Finding: The automatic review triggers are broad enough to run during routine administration tasks, not just explicit security reviews. Given the skill's active behaviors, this creates a pathway for repeated unintended execution, extra data collection, and unnecessary exposure of reports or environment details.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: Privileged firewall checks are performed without any warning, confirmation, or separation from normal execution. In an agent skill advertised as read-only, silent `sudo` usage is risky because it can surprise users, hang waiting for credentials, or normalize unnecessary privilege elevation in automated environments.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: Running a live deep security audit without any user-facing disclosure undermines informed consent and safe operation expectations. In a skill advertised as read-only, undisclosed active probing can cause trust issues, unexpected network traffic, and potentially interact with exposed services.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The script reads ~/.openclaw/openclaw.json and emits structured agent configuration data directly to stdout, including model, workspace, tools, sandbox, and subagent details, without any consent gate, minimization, or warning. In a security-audit skill this increases exposure because the output may be collected, logged, or shown to another component, unintentionally disclosing sensitive local configuration and operational metadata.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The script reads each agent's SOUL.md and emits the first 200 characters as a preview. SOUL files are instruction/persona files and can contain sensitive prompts, secrets, internal policies, or other confidential content; exposing even a truncated preview can leak high-value information, especially if the result is logged or transmitted by downstream tooling.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The dashboard persists sensitive environment details such as external IP, privilege status, username, and filesystem permissions into an HTML file under a predictable location in the user's home directory. That creates a local data exposure risk if the file is later accessed by other local users, backup/sync tooling, or shared through the UI without the operator realizing how much runtime context it contains.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal