Back to skill

Security audit

Security Operator

Security checks across malware telemetry and agentic risk

Overview

This security skill appears defensive, but its optional hardening installer has enough privileged host-changing behavior to require review before installation.

Review the installer before use, run only its true dry-run or plan mode first, and apply it only on a machine where you are prepared for persistent firewall and package changes. Do not provide untrusted SSH port or source values, and avoid running the privileged installer until those inputs are strictly validated.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
Labeling `sudo ./scripts/install.sh` as 'Plan only (no changes)' is unsafe because invoking an install script without a verified dry-run flag can perform real privileged modifications. Users may execute it expecting a harmless preview and inadvertently change firewall, SSH, packages, or access settings.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The installer performs host-level package management and firewall reconfiguration that materially exceeds a narrow 'agent runtime guardrails' scope. In a skill installation context, modifying UFW and enabling a deny-by-default firewall can disrupt host access or create unintended operational impact, especially if users trust the skill to affect only OpenClaw runtime behavior.

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
CMD_UPDATE="sudo apt-get update && sudo apt-get -y upgrade"
CMD_UFW_INSTALL="sudo apt-get -y install ufw"
CMD_UFW_DEFAULTS="sudo ufw default deny incoming && sudo ufw default allow outgoing"

if [[ -n "$ALLOW_SSH_FROM" ]]; then
  CMD_UFW_SSH_ALLOW="sudo ufw allow from $ALLOW_SSH_FROM to any port $SSH_PORT proto tcp"
Confidence
96% confidence
Finding
sudo

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
CMD_UPDATE="sudo apt-get update && sudo apt-get -y upgrade"
CMD_UFW_INSTALL="sudo apt-get -y install ufw"
CMD_UFW_DEFAULTS="sudo ufw default deny incoming && sudo ufw default allow outgoing"

if [[ -n "$ALLOW_SSH_FROM" ]]; then
  CMD_UFW_SSH_ALLOW="sudo ufw allow from $ALLOW_SSH_FROM to any port $SSH_PORT proto tcp"
Confidence
96% confidence
Finding
sudo

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
CMD_UFW_DEFAULTS="sudo ufw default deny incoming && sudo ufw default allow outgoing"

if [[ -n "$ALLOW_SSH_FROM" ]]; then
  CMD_UFW_SSH_ALLOW="sudo ufw allow from $ALLOW_SSH_FROM to any port $SSH_PORT proto tcp"
else
  CMD_UFW_SSH_ALLOW="sudo ufw allow $SSH_PORT/tcp"
fi
Confidence
95% confidence
Finding
sudo

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.prompt_injection_instructions

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
references/prompt-injection-guardrails.md:16

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
references/workshop-security-section.md:37

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
SKILL.md:74