Async Queue

Security checks across malware telemetry and agentic risk

Overview

This skill mostly does what it says, but it installs a persistent daemon and exposes a plugin-auth endpoint that can inject queued text into agent system events with weak target scoping.

Review before installing if you are comfortable with a persistent local daemon that can wake OpenClaw agents later. Only queue non-sensitive task text, configure targets carefully, and unload the launchd plist if you stop using it. The main risk is not malware behavior; it is that the local plugin endpoint has broad authority to turn queued text into agent system events.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The endpoint takes externally supplied `task` content and injects it directly into a system event, which typically carries elevated trust and influences agent behavior. Even though the route uses plugin auth, any caller with access to that auth boundary can cause arbitrary instructions to be delivered as system-context input and immediately trigger the agent, creating a prompt-injection and privilege-boundary crossing risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal