Agent Recruiter

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it makes persistent OpenClaw configuration, credential-profile, routing, service-restart, and agent-behavior changes that need careful review before installation.

Install only if you are comfortable with a skill that can create persistent OpenClaw agents, copy auth profiles, edit live routing, and restart Gateway. Before running it, back up ~/.openclaw/openclaw.json, inspect auth-profiles.json, verify the Feishu group ID, review generated SOUL.md behavior, and avoid enabling automatic repair, group posting, or memory logging until you have scoped what the agent may change, send, and retain.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (9)

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The template defines Tim as a full system-maintenance and remediation agent, which materially exceeds the surrounding skill's stated purpose of recruiting and configuring agents. In a recruiter skill, embedding a broadly empowered operational persona creates scope creep and can cause downstream agents to perform privileged monitoring and repair actions users did not intend when invoking this skill.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: These sections grant ongoing infrastructure monitoring, cron repair, and agent lifecycle intervention authority that is not justified by an agent-recruitment workflow. Because templates shape future agent behavior, this effectively seeds privileged operational capabilities into newly created agents without clear need-to-have restrictions.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: Allowing the template to install, update, and uninstall skills/plugins gives a recruited agent supply-chain and persistence-affecting power unrelated to simple agent provisioning. Such authority can alter the execution environment, introduce unreviewed code, or disable safeguards, making the mismatch especially dangerous in a skill whose expected role is administrative setup.

Context-Inappropriate Capability

High

Confidence: 96% confidence
Finding: The advanced capabilities authorize autonomous repair, bulk config changes, backup/rollback, and self-healing behaviors including restarting offline services. In the context of a recruiter skill, these are powerful state-changing actions that can cause outages, mask incidents, or be abused for persistence or disruptive changes without focused operator consent.

Intent-Code Divergence

Medium

Confidence: 89% confidence
Finding: The file is framed as a maintenance-specialist SOUL template, which contradicts the surrounding skill's recruiter-oriented purpose and increases the chance that users unknowingly instantiate an operations-capable agent. This contextual mismatch is security-relevant because misleading packaging hides the true authority and behavioral scope of the generated agent.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The skill advertises broad trigger phrases such as '招聘 agent', '创建 agent', and '配置 agent', which can overlap with ordinary conversation and cause the skill to activate unexpectedly. In this skill's context, accidental activation is more dangerous because the documented workflow creates directories, copies configs, edits global OpenClaw configuration, and restarts the Gateway.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The document describes an automated script that creates agent state, copies authentication/model configuration, updates ~/.openclaw/openclaw.json, adds message-routing bindings, and restarts the Gateway, but it does not prominently warn about service disruption, routing changes, or credential/config propagation. Because these are persistent and system-affecting actions, a user or agent could invoke them without appreciating that they alter live configuration and may redirect messages or interrupt service.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill explicitly instructs the agent to push market briefs to a specified group chat and record activity to a memory file, but it does not require disclosure, consent, retention limits, or scoping of what gets persisted. In an agent context, silent outbound sharing and persistence can expose sensitive user preferences, operational details, or chat-derived data to unintended recipients or long-term storage.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: Instructing the agent to record all changes to a memory file without privacy or sensitivity limits can lead to storage of secrets, identifiers, incident details, or other sensitive operational data. Persistent memory expands exposure surface and may create compliance and data-retention risks if later accessed by other tools or agents.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal