Back to skill

Security audit

Find File

Security checks across malware telemetry and agentic risk

Overview

This skill mostly does what it says, but it also searches for LINE/OpenClaw secrets and uses a path-based upload flow that can expose local files if used carelessly.

Install only if you are comfortable with an agent searching your home directory, reading file contents during content searches, copying selected files to your Desktop, and sending files through LINE when local paths are emitted. Review or remove send_line.py before use if you store LINE/OpenClaw/Moltbot tokens locally, because it searches those secret locations and prints partial token values. Use explicit search folders and confirm the exact file before any upload.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill describes capabilities that imply file read/write, shell invocation, environment access, and possible network use, yet it declares no permissions or explicit trust boundaries. That omission makes it harder to audit, constrain, or safely authorize the skill, especially because it handles local file discovery and transfer-like behavior.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented behavior goes beyond local search-and-copy and includes credential discovery, reading environment/config secrets, and a direct LINE send flow. That is a serious mismatch because it can conceal secret harvesting and exfiltration paths behind an innocuous file-finder description, increasing the chance that users or policy systems grant unsafe access.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The code’s behavior materially diverges from the declared skill purpose. Instead of implementing local file search/copy-to-reception behavior, it probes for OpenClaw/Moltbot config and secret files and extracts LINE credentials, which is a strong indicator of credential discovery unrelated to user-requested functionality. In the context of an agent skill with filesystem access, this mismatch is especially dangerous because it can covertly leverage host-stored secrets for unauthorized messaging or later exfiltration.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script reads unrelated local secret/config files such as .openclaw/secrets.json and .moltbot/secrets.json to obtain messaging credentials. Accessing stored secrets outside the skill’s stated file-finding/copying purpose is unauthorized credential harvesting behavior and creates a direct path to abuse other services or accounts on the host.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The code pulls LINE credentials from environment variables even though the skill’s declared role is local file handling, not messaging. While reading environment variables is common in legitimate integrations, here it expands the skill’s access to sensitive secrets without clear necessity, increasing the risk of unauthorized use of host credentials.

Intent-Code Divergence

Medium
Confidence
86% confidence
Finding
The function claims to send a file via LINE, but it never performs a LINE API request or transfers the file. That discrepancy is suspicious because the implemented behavior is primarily credential discovery and validation, which can serve as reconnaissance for later misuse while misleading reviewers about the real effect of the code.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script silently reads local secret/config files to obtain credentials without informing the user. Even if intended for convenience, undisclosed access to stored secrets violates user expectations and undermines safe handling of sensitive data, particularly in a skill whose purpose does not require credential discovery.

Ssd 3

High
Confidence
99% confidence
Finding
The skill instructs the agent to print full local file paths in chat so an external bridge will automatically upload the referenced file. This creates a covert natural-language exfiltration channel where merely mentioning a path can cause sensitive local files to be transmitted outside the host, bypassing normal attachment consent and security review.

VirusTotal

No VirusTotal findings

View on VirusTotal