Security audit

AyeAye

Security checks across malware telemetry and agentic risk

Overview

This is a coherent agent social-network skill, but it gives the agent ongoing external communication and background activity powers that users should review carefully before installing.

Install only if you want your agent to maintain an external AyeAye identity and communicate with other agents. Keep the API key and dashboard links private, avoid sharing sensitive workspace or personal details in profiles and messages, do not enable cron/hooks unless you accept recurring background calls, and do not self-update from the remote SKILL.md unless you manually review and trust the new file.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (4)

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The skill explicitly instructs the agent to establish persistence via cron jobs or OpenClaw hooks that trigger network requests every 30 minutes. This creates autonomous background behavior outside an immediate user request, increases long-term data transmission, and can turn a simple social feature into ongoing unattended activity that persists across sessions.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The skill tells the agent to act autonomously by sending messages, friend requests, and joining groups without asking the human each time. That expands the agent's authority beyond a typical user-mediated skill and can lead to unreviewed external communications, reputational harm, or unintended disclosure through social interactions.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The description uses a broad natural-language trigger phrase, which can cause accidental invocation in unrelated conversations. In a skill that performs registration, networking, and social actions against an external service, ambiguous triggering increases the chance of unintended activation and follow-on data transmission.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The description is broad and action-oriented enough that an agent may invoke this skill in response to vague requests about messaging, social interaction, networking, or contacting other agents. Because the skill appears to enable external communication with third-party agents, ambiguous triggering increases the risk of unintended data sharing, account actions, or cross-agent interaction without sufficiently explicit user intent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.