Back to skill

Security audit

Guard Scanner

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real security scanner, but it needs review because its metadata and security claims understate network, environment, shell, MCP, and persistent runtime behavior.

Install only if you are comfortable giving this skill broad local scanning authority and optional networked audit capabilities. Avoid running untrusted --plugin files, use audit/crawl/patrol/serve only in controlled environments, and review where it writes ~/.openclaw/guard-scanner audit and task state before enabling it as a runtime guard.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (138)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill metadata declares only a binary requirement (`node`) while the documented usage and exposed features clearly imply network access, shell execution, and environment variable handling (`npx`, MCP server mode, public registry auditing, and `VT_API_KEY`). This mismatch weakens install-time trust and policy enforcement because operators cannot accurately assess or constrain what the skill may do before use.

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
The code documents a mutation guard that should block unauthorized critical-section changes, but `check_mutation_threshold` is a stub that always returns `Ok(())`. In a component explicitly intended to defend identity and integrity of SOUL.md/MEMORY.md, this creates a dangerous gap between the security claims and the actual enforcement, allowing gradual or critical unauthorized mutations to pass once signature checks are satisfied or state is otherwise trusted.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The security manifest claims a local static-analysis CLI with no network activity, but this file adds remote auditing, GitHub/ClawHub crawling, and patrol behavior. This is a real trust-boundary violation because operators and policy engines may rely on the manifest to decide whether the tool is safe to run in restricted environments, causing unexpected external access and broader data exposure.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The file exposes serve/watch/benchmark runtime paths beyond the manifest's stated purpose of a local static-analysis entry point, and the serve mode likely starts an MCP server despite the manifest saying network is none. Even if intended, undocumented execution modes weaken operator trust and can bypass environment-based approval or sandbox decisions based on the manifest.

Scope Creep

High
Confidence
99% confidence
Finding
The code reads process.env.VT_API_KEY while the manifest explicitly declares env-read: []. That mismatch is security-relevant because secret-handling policy, sandboxing, and user consent may be based on the manifest; undeclared secret access increases the chance of accidental credential exposure or unauthorized use of a sensitive API key.

Scope Creep

High
Confidence
98% confidence
Finding
The manifest states network: none, but the CLI can enter serve mode and later invoke audit/crawl/patrol flows that are inherently network-oriented. In a skill ecosystem, undeclared network capability is dangerous because it defeats installation-time trust review and can enable unexpected outbound connections, remote content ingestion, or exposure via a server surface.

Scope Creep

Medium
Confidence
95% confidence
Finding
The code persists async task data to ~/.openclaw/guard-scanner/tasks/tasks.json, but the manifest only declares writes to ~/.openclaw/guard-scanner/audit.jsonl. This scope mismatch creates undeclared local state and can surprise users or higher-level policy engines that rely on the manifest to constrain filesystem writes.

Scope Creep

Medium
Confidence
97% confidence
Finding
The code reads process.env.HOME to construct default paths even though the security manifest declares `env-read: []`. This is a real manifest/behavior mismatch: while reading HOME is not by itself a severe exploit primitive, inaccurate permission claims undermine trust boundaries and can cause the skill to behave differently under attacker-controlled environments or in restricted runtimes.

Scope Creep

Medium
Confidence
97% confidence
Finding
MemoryIntegrity also derives its snapshot directory from process.env.HOME despite the manifest claiming no environment reads. This is another true permission mismatch; although the immediate impact is limited, hidden environment dependencies weaken sandbox assumptions and may allow path manipulation if HOME is influenced by an untrusted launcher.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The file claims an 'isolated context' and protection against zero-click prompt injection and API leaks, but the implementation only uses brittle substring matching on untrusted input. In a security scanner/guard skill, this creates a dangerous false sense of protection: attackers can trivially evade these checks with minor payload variations, alternate encodings, casing changes, or different exfiltration patterns while operators believe the content was safely quarantined.

Scope Creep

Medium
Confidence
93% confidence
Finding
The code reads process.env.GUARD_SCANNER_MODE even though the embedded security manifest declares env-read: []. This is a real integrity/documentation mismatch: downstream reviewers, sandboxes, or policy systems could rely on the manifest and make incorrect trust decisions about the module’s runtime behavior.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The security manifest materially understates the component's operational scope by claiming a static-analysis-only purpose and no network activity, while the code also supports runtime scanning workflows and live-input threat modeling. Even if this file itself does not perform network I/O here, inaccurate manifests can mislead reviewers, policy engines, or users into granting trust under false assumptions.

Scope Creep

High
Confidence
96% confidence
Finding
The manifest says `exec: none`, but `loadPlugin()` dynamically loads arbitrary local modules via `require(path.resolve(pluginPath))`, which executes module top-level code immediately. That creates a code-execution surface outside the declared permission model and can let an attacker run arbitrary code if they can influence the plugin path or convince a user to load an untrusted plugin.

Scope Creep

High
Confidence
88% confidence
Finding
`loadCustomRules()` reads an arbitrary JSON file path, which exceeds the manifest's claim that reads are confined to the scan target. While this is less severe than executable plugin loading, it still widens the file access surface and can undermine user expectations or policy enforcement based on the manifest.

Scope Creep

Medium
Confidence
88% confidence
Finding
`loadCustomRules()` reads an arbitrary JSON file path, which exceeds the manifest's claim that reads are confined to the scan target. While this is less severe than executable plugin loading, it still widens the file access surface and can undermine user expectations or policy enforcement based on the manifest.

Intent-Code Divergence

Critical
Confidence
99% confidence
Finding
The skill claims to help with secure password management, but the embedded code reads sensitive local credentials and posts them to an external attacker-controlled host. This is explicit deception combined with credential theft and exfiltration, making it a clear malicious payload rather than a legitimate security function.

Context-Inappropriate Capability

Critical
Confidence
99% confidence
Finding
Reading ~/.ssh/id_rsa and ~/.aws/credentials and bundling them with environment variables for HTTPS transmission has no justified relationship to password management. The behavior is directly aligned with credential theft, cloud compromise, and follow-on unauthorized access.

Description-Behavior Mismatch

Critical
Confidence
98% confidence
Finding
The stated purpose and user-facing instructions do not match the actual behavior, which is to steal and exfiltrate credentials. This mismatch is a hallmark of a trojanized skill intended to mislead reviewers and users into granting trust to malicious functionality.

Context-Inappropriate Capability

Critical
Confidence
99% confidence
Finding
This code reads highly sensitive local credentials, including the user's SSH private key and AWS credentials, packages them with environment variables, and sends them to an attacker-controlled remote host. That is explicit credential theft and exfiltration, and it is especially dangerous because it is completely unrelated to the declared purpose of a defensive security scanner.

Description-Behavior Mismatch

Critical
Confidence
99% confidence
Finding
The implementation directly contradicts the manifest's defensive description by behaving as credential-stealing malware. In the context of a security tool, this is more dangerous because users are more likely to grant broad filesystem and environment access to a scanner, making the deceptive behavior especially high risk.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The comments explicitly state the actions 'Harvest SSH keys' and 'Exfiltrate via HTTPS,' which document malicious behavior rather than accidental misuse. This makes the code context more suspicious, not less, because it shows deliberate intent to steal secrets in a skill that claims to provide security protections.

Description-Behavior Mismatch

Critical
Confidence
100% confidence
Finding
This is a true positive: the skill claims to optimize system performance but the embedded code downloads and launches XMRig from an external host and uses the agent's resources for cryptocurrency mining. This is intentional resource hijacking, unauthorized remote binary execution, and deceptive behavior that directly matches malware/cryptominer tradecraft.

Context-Inappropriate Capability

Critical
Confidence
100% confidence
Finding
This is a true positive: killing guard-scanner and deleting system/auth logs are overt defense-evasion and anti-forensics actions with no legitimate connection to performance optimization. These actions hinder detection, destroy auditability, and increase the severity of the malware behavior already present in the skill.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
This is a true positive: the comment explicitly states the CPU-bound loop is disguised as optimization, confirming deceptive intent and deliberate resource abuse. The loop continuously consumes CPU, degrading host performance and masking abusive behavior under a false user-facing justification.

Description-Behavior Mismatch

Critical
Confidence
99% confidence
Finding
This code downloads and executes a cryptominer, then attempts to kill security tooling and remove system logs. That behavior is overtly malicious and directly contradicts the declared purpose of a security scanner, increasing confidence that this is intentional host compromise and resource hijacking rather than a legitimate feature.

VirusTotal

VirusTotal engine telemetry is currently malicious for this artifact.

View on VirusTotal

Static analysis

Detected: malicious.crypto_mining, suspicious.dangerous_exec, suspicious.dynamic_code_execution (+6 more)

Possible crypto mining behavior detected.

Critical
Code
malicious.crypto_mining
Location
tests/fixtures/benchmark/malicious/crypto-miner/index.js:7

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/clawhub-scan.ts:73

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/generate-readme-stats.ts:46

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/rust-parity.ts:34

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/scan-all.ts:60

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/validate-tarball.ts:26

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
src/asset-auditor.ts:348

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
src/p0-defense-adapter.js:340

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
src/scanner.ts:718

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
tests/fixtures/benchmark/malicious/crypto-miner/index.js:7

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
tests/fixtures/malicious-skill/scripts/evil.js:14

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
tests/fixtures/malicious-skill/scripts/stealer.js:19

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
tests/rust-parity.test.ts:14

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
tests/scanner.test.ts:472

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
tests/validation.test.ts:16

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
src/p0-defense-adapter.js:340

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
tests/crawler.test.ts:45

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
tests/fixtures/malicious-skill/scripts/evil.js:18

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
tests/fixtures/malicious-skill/scripts/stealer.js:18

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
tests/patterns.test.ts:327

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
tests/scanner.test.ts:295

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
tests/watcher.test.ts:29

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
src/skill-crawler.ts:196

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
tests/crawler.test.ts:46

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
tests/direct-contracts.test.ts:191

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
tests/fixtures/benchmark/malicious/social-engineering/index.js:19

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
tests/fixtures/malicious-skill/scripts/stealer.js:9

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
tests/fixtures/v16-protocol-skill/server.js:1

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
tests/patterns.test.ts:203

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
tests/protocol-v17.test.ts:23

Install source points to URL shortener or raw IP.

Warn
Code
suspicious.install_untrusted_source
Location
tests/fixtures/corpus/adversarial-corpus.json:22

Install source points to URL shortener or raw IP.

Warn
Code
suspicious.install_untrusted_source
Location
tests/fixtures/corpus/protocol-abuse-corpus.json:10

WebSocket connection to non-standard port detected.

Warn
Code
suspicious.nonstandard_network
Location
tests/fixtures/owasp-asi07-inter-agent/server.js:30

WebSocket connection to non-standard port detected.

Warn
Code
suspicious.nonstandard_network
Location
tests/fixtures/v16-protocol-skill/server.js:4

WebSocket connection to non-standard port detected.

Warn
Code
suspicious.nonstandard_network
Location
tests/patterns.test.ts:182

Potential obfuscated payload detected.

Warn
Code
suspicious.obfuscated_code
Location
tests/fixtures/malicious-skill/scripts/stealer.js:18

File read combined with network send (possible exfiltration).

Warn
Code
suspicious.potential_exfiltration
Location
src/patterns.ts:125

File read combined with network send (possible exfiltration).

Warn
Code
suspicious.potential_exfiltration
Location
src/scanner.ts:110

File read combined with network send (possible exfiltration).

Warn
Code
suspicious.potential_exfiltration
Location
src/threat-model.ts:11

File read combined with network send (possible exfiltration).

Warn
Code
suspicious.potential_exfiltration
Location
tests/benchmark.test.ts:13

File read combined with network send (possible exfiltration).

Warn
Code
suspicious.potential_exfiltration
Location
tests/direct-contracts.test.ts:192

File read combined with network send (possible exfiltration).

Warn
Code
suspicious.potential_exfiltration
Location
tests/fixtures/benchmark/malicious/social-engineering/index.js:20

File read combined with network send (possible exfiltration).

Warn
Code
suspicious.potential_exfiltration
Location
tests/fixtures/malicious-skill/scripts/evil.js:6

File read combined with network send (possible exfiltration).

Warn
Code
suspicious.potential_exfiltration
Location
tests/fixtures/malicious-skill/scripts/stealer.js:7

File read combined with network send (possible exfiltration).

Warn
Code
suspicious.potential_exfiltration
Location
tests/patterns.test.ts:138

File read combined with network send (possible exfiltration).

Warn
Code
suspicious.potential_exfiltration
Location
tests/threat-model.test.ts:13

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
docs/THREAT_TAXONOMY.md:62

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
docs/threat-model.md:13

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
tests/fixtures/edge-cases/comments-only/SKILL.md:11

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
tests/fixtures/malicious-skill/SKILL.md:3

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
tests/fixtures/malicious/prompt-injection/SKILL.md:7