Skill Creator Operator

Security checks across malware telemetry and agentic risk

Overview

This skill appears safe for helping create OpenClaw skills, with disclosed local file scaffolding and publishing steps only when requested.

Install this if you want help creating OpenClaw skills. Because it can create local files, run the scaffolder from the directory where you want new skill folders, review generated files before publishing, and avoid putting secrets in any generated config.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger phrase "create a new skill" is broad enough to match many generic user requests that may not specifically intend to invoke this skill. In agent systems with automatic skill selection, such ambiguous activation can cause the wrong skill to run, leading to unintended file creation, scaffolding actions, or context hijacking.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The phrase "scaffold a skill" is ambiguous because it does not constrain platform, repository, or framework context. This increases the chance that routine developer requests are misrouted to this skill, which could trigger unintended generation workflows or overwrite expected behavior from a more appropriate tool.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal