Back to skill

Security audit

Sui Vibe

Security checks across malware telemetry and agentic risk

Overview

WALVIS is a real knowledge-manager skill, but it makes broad persistent OpenClaw changes and can use local wallet keys for blockchain access-control actions.

Install only if you are comfortable with WALVIS changing your OpenClaw configuration, adding persistent hooks/plugins and SOUL.md text, storing an LLM API key locally, uploading vault data and screenshots to Walrus, running reminder crons, and using your local Sui CLI wallet for Seal operations. Review openclaw.json, SOUL.md, ~/.walvis, and avoid Seal/share commands unless you understand the wallet-signing and access-control implications.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (28)

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
Launching a local dashboard with a local read-write API expands the attack surface from chat-based knowledge management to a persistent local service that can mutate user data. Because this behavior is not clearly reflected in the top-level purpose, users may invoke the skill without realizing it can expose local HTTP endpoints and ongoing filesystem access.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The cron-based organization and reminder system introduces autonomous background behavior that can read all stored content and proactively message the user. While arguably related to knowledge management, it changes the skill from reactive storage to persistent monitoring/notification, which is a meaningful scope expansion and privacy consideration.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Wallet balance querying is not necessary for basic save-and-organize functionality and introduces blockchain account handling into the skill. Even read-only wallet operations expand the data sensitivity of the manifest and can normalize further blockchain interactions from a skill users may not expect to touch wallet-related information.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
Granting and revoking decryption access for blockchain addresses is a privileged security-sensitive operation that goes well beyond bookmarking. If triggered unexpectedly or misunderstood, it could expose encrypted user data to unintended parties or alter access control on protected spaces.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The installer does more than install a bookmark-management skill: it rewrites OpenClaw runtime configuration, enables plugins/hooks, and injects content into the agent's SOUL.md personality file. That broad, persistent modification of host-agent behavior exceeds the narrow user expectation of a bookmark tool and creates a supply-chain style trust boundary violation if the skill is installed without clear, granular consent.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The code enables Telegram inline button capabilities at the global channel/account configuration level rather than scoping the capability narrowly to this skill. Broadening messaging capabilities platform-wide increases the attack surface for other skills or future behavior changes and is not strictly justified by the installer’s stated purpose.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill invokes `npx` to install and execute external packages (`tsx`, `@mysten/*`) at runtime. This creates a software supply-chain and arbitrary code execution risk: package resolution happens dynamically, can change over time, and runs with the user's local privileges without any trust pinning or confirmation.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The skill is presented as a Telegram knowledge manager, but it also performs wallet-related actions and Seal encryption/share/unshare operations that can change access control over user data. This expands the trust boundary beyond simple note storage into blockchain and cryptographic state changes, increasing the chance of users invoking sensitive actions they did not expect from the stated description.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The smart reminder and organization flows continuously scan saved content, summaries, and notes to infer deadlines, follow-ups, and behavior patterns, which is broader than a basic save-and-retrieve knowledge manager. This creates a privacy risk because personal notes and stored content are proactively monitored and acted upon in the background via cron jobs, potentially surfacing sensitive information unexpectedly.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The script directly reads the user's local Sui CLI keystore and uses the first private key to sign blockchain transactions. Even if intended to support Seal encryption, accessing wallet credentials from disk without explicit user consent, account selection, or isolation creates a dangerous credential-use path that can authorize unintended on-chain actions if the skill is invoked unexpectedly or in a broader agent context.

Description-Behavior Mismatch

Medium
Confidence
79% confidence
Finding
This code creates shared on-chain access-policy objects and executes signed transactions, which is a privileged capability not disclosed by the skill's high-level description. In the context of an agent skill marketed as a knowledge manager, hidden blockchain state changes increase risk because users may not expect wallet-affecting operations or the costs and permission implications that come with them.

Description-Behavior Mismatch

Medium
Confidence
82% confidence
Finding
The share and unshare functions modify on-chain allowlists using the locally loaded keypair, affecting who can decrypt protected data. This is security-sensitive administration, and in an agent setting it is dangerous if exposed without strong user awareness and confirmation because it can silently grant or revoke access to encrypted content.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly encourages users to sync spaces to Walrus and share the resulting blob ID so others can view the vault, but it does not prominently warn that non-encrypted synced data may be publicly accessible. In a knowledge-manager skill that stores notes, links, images, and reminders, users may reasonably assume 'sync' is just backup behavior, which creates a meaningful risk of accidental data exposure.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The skill activates on essentially any '/walvis' prefixed text, URL, or content and then may fetch remote pages, open a browser, take screenshots, upload data, and write local files. Such a broad trigger increases the chance of accidental activation and unintended processing or exfiltration of user-supplied content.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The import flow instructs the skill to silently download preview images into local storage in the background, causing undisclosed filesystem writes after a blob import. Silent background writes reduce user awareness and can consume disk space or persist content locally that the user did not expect to store.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The installer writes the user-provided LLM API key directly into openclaw.json, creating plaintext credential persistence in a shared runtime configuration file. Without a clear warning or safer secret-handling mechanism, this increases the risk of credential disclosure through backups, local compromise, misconfigured permissions, or accidental sharing of the config directory.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Injecting arbitrary content into SOUL.md alters the host agent’s long-term behavior and prompt context without explicit prior disclosure. Persistent prompt/personality modification is dangerous because it can change future agent decisions outside the bookmark feature, and users may not realize a skill installer changed core workspace behavior.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill silently installs and runs external packages via `npx` with no warning, prompt, or approval step. In a local agent context, this is dangerous because it expands the trust boundary to remote package registries and allows unreviewed code to execute on the host machine.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The sync path uploads local WALVIS content, including notes, metadata, and potentially media, to remote Walrus endpoints without an explicit privacy or exfiltration warning at execution time. In a knowledge-manager skill handling user-supplied content, silent remote transfer materially increases confidentiality risk if users do not understand what data leaves the machine.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The hook automatically rewrites any bare URL into a save command whenever auto-save is enabled, with no documented exclusions for common cases such as authentication links, one-time magic links, invite URLs, unsubscribe links, or URLs forwarded unintentionally. In a Telegram-integrated knowledge manager, this broad trigger can cause sensitive or transient links to be ingested, processed, and stored without clear user confirmation, increasing the risk of privacy leakage or accidental retention of secrets.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The delete callback removes items from both the space file and manifest immediately with no confirmation, undo, or safety check. A stray click, forged callback, or misunderstanding could permanently remove user data from the local index and make recovery difficult.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The import flow downloads all preview images in the background and updates local paths without explicit prior consent for that secondary data transfer and storage. Even though the response mentions the download afterward, the action is still automatic and could consume bandwidth, store unwanted content locally, or fetch unsafe material from untrusted blob references.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This code sends user-supplied content, including content fetched from arbitrary URLs, to a configured LLM endpoint without any consent gate, warning, or destination validation in this file. That creates a real privacy and data-handling risk because users may not realize that page contents they submit are exfiltrated to a third-party or attacker-controlled endpoint defined in the manifest.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code accesses the user's private keystore with no warning or disclosure at the point of use, then signs messages and transactions with that key. Lack of runtime disclosure and consent is especially risky for agent skills because credential access can be triggered in ways the user does not fully understand, turning a local key into an implicit authorization token.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
When a space is encrypted, the script stores the recovery/backup key directly into the local space object as base64 and persists it with writeSpace(). This undermines the confidentiality benefit of encryption because any local compromise, backup leak, or unintended file exposure can reveal the key needed to decrypt the uploaded data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.env_credential_access

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
bin/cli.js:241

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
extensions/walvis-fastpath/index.js:66

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/smoke-walvis-scripts.mjs:13

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
extensions/walvis-fastpath/index.js:565

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
skill/scripts/analyze.ts:77