Manus Skill - Operate Manus through Openclaw

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Manus API client, but it can spend credits, upload files, and store prompt metadata locally.

Install only if you trust this skill with your Manus API key. Add .manus_sessions.json to .gitignore, avoid putting secrets in prompts or uploaded files, and explicitly confirm new task creation, uploads, public sharing, connector use, webhooks, and any deletion or visibility-changing action.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (8)

Tainted flow: 'upload_url' from requests.post (line 447, network input) → requests.put (network output)

Medium

Category: Data Flow
Content: import mimetypes mime = mimetypes.guess_type(str(path))[0] or "application/octet-stream" with open(path, "rb") as f: requests.put(upload_url, headers={"Content-Type": mime}, data=f).raise_for_status() return record def list_files(self) -> dict:
Confidence: 90% confidence
Finding: requests.put(upload_url, headers={"Content-Type": mime}, data=f).raise_for_status()

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill clearly uses sensitive capabilities beyond simple documentation: it reads an API key from the environment, writes a persistent session file, and makes authenticated network requests to a third-party API, yet it declares no explicit permissions. That mismatch weakens reviewability and consent because operators may not realize the skill can transmit data externally and persist potentially sensitive prompts and task metadata locally.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The invocation text is extremely broad and includes catch-all triggers such as simple mentions of Manus, status checks, delegation phrasing, and references to IDs, making accidental activation more likely. In this skill, over-triggering is security-relevant because activation can lead to authenticated API calls, task creation that consumes credits, and possible transmission of user data to an external service.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill documents persistent storage of `.manus_sessions.json` containing prompts, task IDs, and URLs, and also supports file uploads and webhooks, but it does not provide a prominent upfront warning about privacy and external data handling. This is dangerous because users may unknowingly expose sensitive prompts, documents, or callback endpoints to local disk and a third-party platform.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The design explicitly stores `first_prompt` verbatim and recommends storing `last_prompt`, which can capture secrets, credentials, personal data, proprietary code, or other sensitive user inputs in a local plaintext registry. Because this is a session-tracking skill for an external agent platform, users are likely to send high-sensitivity content, so retaining raw prompts without an explicit privacy warning, minimization strategy, or protection controls materially increases the risk of local data exposure.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: This function transmits local file contents off-host with no user-facing warning, confirmation, or destination transparency beyond the code itself. In an agent skill that may be triggered on behalf of users, silent upload behavior increases the chance of accidental disclosure of sensitive local files.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: delete_task performs a destructive remote operation immediately with no confirmation, dry-run option, or guardrails. In a session-management skill where IDs may be reused across turns, accidental invocation could permanently remove remote work or metadata.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: delete_file deletes remote files without any visible confirmation or recovery protections. Because the skill manages uploaded artifacts, accidental or coerced deletion could cause data loss for users relying on stored files.

VirusTotal

51/51 vendors flagged this skill as clean.

View on VirusTotal