Back to skill

Security audit

openclaw skill creator

Security checks across malware telemetry and agentic risk

Overview

This is a local skill generator; its generated examples can use Slack, Google Calendar, or local files, but those capabilities are disclosed and require user setup before they run.

Install this only if you want help drafting new OpenClaw skills. Before enabling any generated skill, review the generated code and dependencies, use least-privilege API credentials, avoid putting secrets directly in skill files, restrict Slack channels or account scopes where possible, and add a confirmation step for any skill that sends messages or handles sensitive data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The module header states the skill is 'entirely local' with 'no external API calls,' but the generated templates explicitly instruct users to create Slack and Google Calendar integrations that require network access and credentials. This mismatch can mislead users and downstream systems about the trust boundary, causing them to approve or run a skill creator that facilitates external data access and transmission.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill is presented as a general local skill creator, but its core functionality includes producing concrete externally connected integrations for Slack and Google Calendar. This expands the effective capability of the skill into credentialed network operations, which is security-relevant because users may not expect generated artifacts to access external services or sensitive account data.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The manifest description contains broad trigger language such as helping whenever a user says they 'wish' the agent could do something, which could match ordinary conversation and cause unintended invocation. In security-sensitive contexts, accidental routing into a skill generator can lead to generation of code or setup instructions for capabilities the user did not intend to authorize.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The section says the agent can use this skill automatically, but it does not impose constraints like requiring explicit confirmation before generating code, collecting credentials, or producing installation steps. Ambiguous auto-invocation is risky because this skill's purpose is to create new agent capabilities, which can quickly expand access to local files, credentials, or external services.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The document emphasizes that the generator itself runs locally, but it does not provide a clear, prominent warning that generated skills may access sensitive local files, credentials, company documents, calendars, messaging systems, or external APIs. This framing can lull users into equating 'local' with 'safe,' even though the resulting skills may introduce significant data exposure or privilege expansion.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The generated Slack template can post messages to a default channel immediately using a bot token, with no built-in confirmation, allowlist, or preview step. In an agent setting, this creates a risk of unintended external transmission, spam, disclosure of sensitive content, or misuse of a broadly scoped Slack token.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The generated Google Calendar template reads credentials from the environment and accesses calendar data without any explicit warning, consent flow, or scope-limiting guidance beyond readonly access. In practice this may expose sensitive schedule information through an agent-generated integration that users may treat as harmless because the parent skill claims to be local and private.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.