Back to skill

Security audit

OpenclawContinuousWork 1.0.0

Security checks across malware telemetry and agentic risk

Overview

This skill is transparent about continuous optimization work, but it grants broad file-change and keep-working behavior under broad triggers without clear user confirmation gates.

Install only if you want an agent to push multi-step optimization work autonomously. Before using it, specify the exact target directory, require a plan before edits, require explicit approval before deletions or broad rewrites, and tell the agent to stop after the final summary.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill advertises executable scripts and repository-modifying operations (file_read, file_write, shell) but declares no permissions. This creates a transparency and consent failure: a user or host may invoke a skill expecting lightweight conversational behavior while it can read, rewrite, and audit repository contents via shell-driven workflows.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The public description frames the skill as improving dialogue experience and continuous task closure, but the referenced behavior includes broad repository scanning, report generation, file normalization, and pipeline execution. That mismatch is dangerous because it obscures materially different operational behavior, increasing the chance of unintended codebase-wide modification or execution under an innocuous-seeming trigger.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger phrases are broad everyday terms like '继续做' and '不要停', which can activate continuous execution outside a clearly bounded task scope. In an agent skill designed to keep acting without additional prompting, this can cause the assistant to over-commit, continue operating on unintended tasks, or resist natural conversational pauses and consent checkpoints.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The rule enables continuous mode whenever work appears 'multi-stage' or there is a 'clear next step,' but those conditions are subjective and lack hard boundaries. That ambiguity increases the chance the agent will self-authorize extended action chains without explicit user approval, especially in optimization, refactoring, migration, or delivery workflows that can affect many files or systems.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger phrase “优化” is extremely broad and maps to many normal user requests, which can cause this high-autonomy skill to activate unexpectedly. In the context of a skill that performs deep analysis and permits broad file changes, accidental invocation increases the chance of unauthorized or over-scoped modifications.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The directive explicitly authorizes modification, deletion, and addition of files without requiring an explicit warning, confirmation step, or bounded scope from the user. In a continuous-work skill designed to keep acting until completion, this creates a meaningful risk of destructive or irreversible repository changes beyond what the user expected.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The rule binds behavior to the broad trigger word “优化”, which is a common everyday term and can cause the skill to activate in situations where the user did not intend continuous or invasive optimization behavior. Because the baseline also authorizes broad file analysis and modification, an ambiguous trigger increases the risk of overreach, unintended edits, and misaligned task execution.

Natural-Language Policy Violations

Medium
Confidence
88% confidence
Finding
The file is written to enforce a fixed language and workflow behavior without any user opt-in, which can override user preference and reduce transparency about how the assistant will respond. In a continuous-work skill that performs broad scanning, modification, and regression steps, forced communication constraints can make it harder for users to understand, control, and safely supervise the agent’s actions.

Vague Triggers

High
Confidence
97% confidence
Finding
The trigger phrases are extremely broad, including common terms like 'work', 'project', 'continue', and 'don't stop', which can match ordinary user conversation. In context, this is especially risky because the skill includes continuous execution and references scripts that can audit and modify files, so accidental activation could lead to prolonged autonomous action beyond user intent.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.