Back to skill

Security audit

Peace Evolution

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed workflow for reviewing and iterating a specific HTML game, with some setup and consent caveats around file creation and Feishu notifications.

Before installing, confirm that you want this skill to operate on /root/.openclaw/workspace/peace*.html, that the referenced jury-review process is trusted, and that Feishu notifications go only to the intended account or recipient. Use explicit commands and review the generated file before sharing it externally.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger phrases are broad enough that ordinary user messages like '游戏优化' or '评审生成' could accidentally activate the skill and start a workflow that reads workspace files, creates a new HTML version, and sends a notification. In this skill’s context, unintended activation is more dangerous because the workflow performs state-changing actions beyond simple chat responses.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill description and usage flow do not prominently warn users that the agent may generate a new file version and send a Feishu notification, which are side effects with persistence and external communication. This lack of disclosure increases the risk of users invoking the skill without informed consent, especially when combined with broad triggers and automated execution.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.