Back to skill

Security audit

Openclaw Nextcloud

Security checks across malware telemetry and agentic risk

Overview

This is a powerful but coherent Nextcloud integration that clearly discloses account-level access, write/delete actions, and public link sharing.

Install only if you are comfortable giving this skill account-level Nextcloud app-password access. Use a revocable app password, start with a test account if possible, confirm every delete/upload/edit/share action, prefer read-only shares with password and expiration, and rotate the app password if you suspect exposure.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The description omits that the skill can create, list, and revoke public share links, which is a materially different and more sensitive capability than ordinary file management. Undisclosed sharing functionality can lead users or calling agents to invoke the skill without appreciating that it can expose private data externally via public URLs.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill implements creation, listing, and deletion of public file shares via the Nextcloud OCS sharing API, but the manifest description does not disclose that it can expose files through public links. That mismatch is security-relevant because users or higher-level agents may grant this skill access expecting private file management only, while the skill can silently broaden data exposure outside the authenticated Nextcloud account.

Known Vulnerable Dependency: fast-xml-parser==5.3.4 — 6 advisory(ies): CVE-2026-33036 (fast-xml-parser affected by numeric entity expansion bypassing all entity expans); CVE-2026-27942 (fast-xml-parser has stack overflow in XMLBuilder with preserveOrder); CVE-2026-41650 (fast-xml-parser XMLBuilder: XML Comment and CDATA Injection via Unescaped Delimi) +3 more

Critical
Category
Supply Chain
Confidence
98% confidence
Finding
fast-xml-parser==5.3.4

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
index.js:32

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/nextcloud.js:17606