AnySkill Skill Cloud Manager

Security checks across malware telemetry and agentic risk

Overview

AnySkill is a disclosed GitHub-backed skill manager, but it handles write-capable GitHub tokens and can persistently change agent/workspace behavior, so users should review it carefully before installing.

Install only if you want an agent to manage a private GitHub skill repository. Use a fine-grained token limited to one repository, prefer secure environment or platform secret storage over pasting tokens into chat or plaintext config, and review any TOOLS.md, AGENTS.md, skill download, infrastructure update, commit, push, or delete action before allowing it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (7)

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The skill instructs the agent to use a supplied GitHub token to query the user's identity and search across repositories under that account, which goes beyond the minimum needed to operate on a user-specified repo. That expands the data access scope and can expose account metadata and unrelated repository information without an explicit, informed consent step.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The manifest describes a private skill-cloud manager, but the skill also modifies OpenClaw workspace files like TOOLS.md and AGENTS.md, altering agent behavior and persistent workspace instructions. This is a capability expansion not clearly conveyed by the high-level description, which can surprise users and create hidden persistence in the agent environment.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The update trigger uses broad phrases such as 'modify XX skill' or 'change XX', which can overlap with ordinary conversation about a skill rather than a request to perform git-backed edits. That ambiguity can cause unintended file modifications and remote pushes from routine discussion.

Vague Triggers

Low

Confidence: 73% confidence
Finding: The listing triggers are generic enough that common requests like 'show skills' or 'what skills are there' may activate cloud-repo enumeration without clear scope. While lower impact than write actions, it can still reveal private repository inventory unexpectedly.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill directs the agent to persist a GitHub PAT in a config file for some environments, but does not give a clear warning about local secret-at-rest risk, file permissions, or shared-machine exposure. Storing tokens in plaintext configuration materially increases the chance of credential theft and reuse.

Ssd 3

High

Confidence: 99% confidence
Finding: The skill explicitly asks users to paste a live GitHub personal access token into chat and then store it for later use. Secrets entered into chat may be logged, retained, or exposed through downstream tooling, making this a direct credential-handling anti-pattern with high account-compromise risk.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The auto-discovery flow uses a provided token to call the GitHub user API and repository search API without first obtaining explicit consent for those actions. Even if technically functional, it normalizes broad secret-powered account inspection and may access data beyond what the user expected when sharing the token.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal