AGENT SPM SKILL

Security checks across malware telemetry and agentic risk

Overview

This is a coherent installation guide for a Guardian/OpenClaw plugin, but it asks users to enable enforcement and create a persistent private key that should be handled carefully.

Install only if you trust the plugin and want it to affect OpenClaw gateway decisions. Review the exact OpenClaw config changes, keep the private key out of chats, logs, repositories, and insecure backups, and know how to disable the plugin and rotate the key if it is exposed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill instructs the user to generate a long-lived secp256k1 private key and store it in a predictable path on disk, but it does not adequately explain the security sensitivity, lifecycle, rotation, backup, and compromise implications of that credential. Even though the file is created with mode 0600 and not printed to stdout, a local compromise, misconfiguration, accidental inclusion in backups, or later exfiltration by other tools could expose the key and allow unauthorized signing/authentication.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal