Back to skill

Security audit

Aios Call App Service

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a live business-system gateway, and its high-impact read/write authority is not scoped or disclosed clearly enough for automatic use.

Install only if you intend to let the agent access live business systems through this CLI. Limit the connected account permissions, prefer read-only access where possible, and require explicit user confirmation before any operation that changes records, triggers workflows, or sends sensitive payloads.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The document first requires strict adherence to ontology-defined argument types and forbids guessing, but later instructs callers to retry failed object parsing as array or changeset. In a skill that drives real business-system operations, this fallback can coerce malformed requests into unintended command shapes, causing unauthorized updates, data corruption, or bypass of validation assumptions in downstream SDKs.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The skill is framed to activate whenever requests involve AIOS/OpenClaw/Forguncy business systems or real-time data, which is broad enough to capture many normal enterprise queries. In a high-privilege integration skill that can trigger live system calls and business operations, ambiguous activation increases the chance of unnecessary or premature tool use, including sensitive reads or state-changing actions if downstream safeguards fail or are inconsistently applied.

Vague Triggers

Medium
Confidence
90% confidence
Finding
Telling the agent to use the skill whenever a question cannot be answered by general knowledge creates an open-ended fallback that lacks security boundaries. Because this skill can invoke business-system interfaces through a CLI, the ambiguity can cause over-invocation, exposing sensitive data paths or operational capabilities in contexts where clarification or refusal would be safer.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The skill enables implicit invocation with no visible trigger constraints, allowing the agent to call a live business-integration capability automatically. In this skill’s context, the capability can read ontology data and invoke AIOS/OpenClaw/Forguncy application interfaces using real-time session and sender-scoped context, so unintended invocation could cause unauthorized business actions, data access, or side effects without sufficiently explicit user confirmation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README explicitly states the skill should be used when the user wants to perform actions directly in business systems, but it does not warn that those actions may have real side effects in production-like environments. This increases the chance that an agent or user invokes the skill without informed consent, potentially causing unintended state changes, transactions, or operational impact.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The instructions direct all calls through a CLI that forwards requests to a local socket service and then to downstream business systems, but they omit any notice about data transmission beyond the agent boundary. Without disclosure, operators may place sensitive payloads, identifiers, or query data into these calls without understanding they are being sent to local services and external business backends.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.