Sui Vibe

Security checks across static analysis, malware telemetry, and agentic risk

Overview

WALVIS appears to be a coherent Telegram/Walrus knowledge-manager skill, but it uses broad local tools, persistent hooks, external AI/storage services, and an API key that users should review before installing.

WALVIS does what it claims: it saves and organizes Telegram content with AI and Walrus storage. Before installing, confirm you are comfortable giving it an LLM API key, letting it write to ~/.walvis, installing OpenClaw hooks/plugins, and potentially uploading saved content or screenshots to Walrus. Use testnet, avoid saving secrets, and enable encryption before sharing sensitive spaces.

Static analysis

Dangerous exec

Critical

Finding: Shell command execution detected (child_process).

Dangerous exec

Critical

Finding: Shell command execution detected (child_process).

Dangerous exec

Critical

Finding: Shell command execution detected (child_process).

Env credential access

Critical

Finding: Environment variable access combined with network send.

Env credential access

Critical

Finding: Environment variable access combined with network send.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI02: Tool Misuse and Exploitation

Low

What this means

The skill can fetch webpages, use a browser, write local vault files, and upload selected content or screenshots to Walrus as part of saving items.

Why it was flagged

The skill allows local commands, file operations, browser/WebFetch, cron, and messaging. These tools match the knowledge-manager workflow but give the skill broad operational capability.

Skill content

allowed-tools: Bash(node:*) Bash(npx:*) Bash(curl:*) Read Write Edit WebFetch browser cron message

Recommendation

Install only if you are comfortable with WALVIS handling the links, text, images, and screenshots you send it; review OpenClaw tool permissions if you want a narrower setup.

#ASI03: Identity and Privilege Abuse

Low

What this means

Your LLM API key will be delegated to the skill/OpenClaw environment, and saved content may be sent to the configured LLM provider for analysis.

Why it was flagged

The skill expects a user-provided LLM API key for analysis. This is purpose-aligned, but the registry metadata says no primary credential or required env vars.

Skill content

"env": { "WALVIS_LLM_API_KEY": "your-key" }

Recommendation

Use a scoped or project-specific API key where possible, monitor provider usage, and rotate the key if you remove the skill.

#ASI04: Agentic Supply Chain Vulnerabilities

Low

What this means

Installing via the CLI can add persistent WALVIS code paths to your OpenClaw environment.

Why it was flagged

The installer modifies the OpenClaw skill/plugin/hook configuration. This is disclosed and aligned with installation, but it is more than an instruction-only skill despite the registry install spec being empty.

Skill content

If you install via `npx walvis`, the CLI copies the skill, plugin, and hook into your OpenClaw skill directory and writes container-safe paths automatically.

Recommendation

Install from the expected package/repository, review the generated OpenClaw config, and remove the plugin/hook entries if you uninstall WALVIS.

#ASI06: Memory and Context Poisoning

Medium

What this means

Anything you save can remain in the local vault and may be uploaded to decentralized storage when synced; anyone with a shared blob ID may be able to view public, unencrypted data.

Why it was flagged

The skill creates a persistent local knowledge vault and can sync its contents to Walrus. That is the core purpose, but saved content may persist and be reused later.

Skill content

All data lives locally at `~/.walvis/` ... When you run `/walvis sync`, images are uploaded to Walrus first, then each space is uploaded and you get a blob ID.

Recommendation

Avoid saving secrets or sensitive personal data unless you understand the storage model; use encryption features before sharing or syncing sensitive spaces.

#ASI10: Rogue Agents

Low

What this means

If auto-save is enabled, bare URLs you send may be automatically routed into the WALVIS save pipeline.

Why it was flagged

The hook can persistently observe incoming messages and rewrite certain messages into WALVIS actions when enabled. The code also checks `manifest?.autoSave`, so this appears opt-in and purpose-aligned.

Skill content

Auto-save URL routing ... if `autoSave` is enabled and a message is a bare URL, rewrite it to `@{agent} {url}`.

Recommendation

Keep auto-save and reminders disabled unless you want proactive behavior, and review `~/.walvis/manifest.json` plus OpenClaw hook settings.

#ASI09: Human-Agent Trust Exploitation

Low

What this means

A user could choose a network mode that conflicts with the skill instructions and may not be fully supported.

Why it was flagged

SKILL.md says WALVIS currently operates on testnet only and must not use mainnet endpoints, while the installer presents a mainnet option. This is a documentation/configuration inconsistency, not evidence of deception.

Skill content

choices: ['testnet', 'mainnet']

Recommendation

Use testnet unless you intentionally want mainnet behavior and have verified the endpoints, costs, and support status.