Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 70% confidence
- Finding
- Without declared permissions the skill's intent is opaque and cannot be validated.
Security audit
Claw-Value-Judge
Security checks across malware telemetry and agentic risk
Overview
This appears to be a real OpenClaw usage-reporting skill, but it needs Review because it exposes local report data through an unauthenticated web app and has under-disclosed credential and HTML-injection risks.
Install only if you are comfortable with it reading local OpenClaw logs, installed skill metadata, and configuration summaries, then saving local history and generated images. Keep the server bound to localhost, avoid opening untrusted clawJudge links while it is running, and provide the DashScope key explicitly only if you need image generation.
SkillSpector
By NVIDIA
Vulnerability Patterns
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
- MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
- MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (68)
Tp4
High
- Category
- MCP Tool Poisoning
- Confidence
- 98% confidence
- Finding
- This is a mismatch because the description presents the skill as a playful assessment/report generator, but the code does substantially more: it performs broad local data collection from logs/config/skills, persists data in a database, exposes a full backend service and APIs, and integrates with an external image-generation service using discovered credentials. Those are material capabilities and resource accesses not reflected in the declared purpose or empty permissions list. While the evaluation/reporting theme is real, the implemented behavior is much broader than described.
Context-Inappropriate Capability
Medium
- Confidence
- 89% confidence
- Finding
- The manifest describes a playful AI automation capability assessment and report generation, but this module implements broad host-side enumeration of local OpenClaw state: agent workspaces, installed skills, extension directories, logs, and configuration. While some telemetry collection can support an assessment, recursively discovering multiple workspaces and plugin skill inventories is a stronger environment-inspection capability than the manifest makes clear.
Context-Inappropriate Capability
Medium
- Confidence
- 84% confidence
- Finding
- The configuration analyzer parses the user's local OpenClaw configuration file and exposes model and channel information. For a 'fun evaluation report,' accessing local configuration may reveal environment details that are more sensitive than the manifest suggests, and that capability is not explicitly disclosed in the description.
Context-Inappropriate Capability
Medium
- Confidence
- 95% confidence
- Finding
- The manifest describes a playful evaluation/reporting system, while this code adds credential-discovery logic that scans a local TOOLS.md file for an API key. Reading workspace configuration files for secrets is not an obvious requirement of producing assessment reports or themed output, and expands the skill's effective access to local sensitive data.
Intent-Code Divergence
Medium
- Confidence
- 91% confidence
- Finding
- The generate_lobster docstring states that unspecified style defaults to cartoon, but the implementation uses self.DEFAULT_STYLE, which is not defined on the class. Separately, LobsterPromptTemplates.generate_prompt defaults missing/unknown styles to cyberpunk, so the documented intent does not match actual behavior.
Description-Behavior Mismatch
Medium
- Confidence
- 86% confidence
- Finding
- The manifest describes a playful evaluation/reporting system, but this module creates persistent tables for sessions, skills, collection records, evaluations, and configuration snapshots. Persistently collecting and retaining telemetry about user sessions, token usage, installed skills, and runtime configuration is broader behavior than the manifest's user-facing description suggests.
Context-Inappropriate Capability
Medium
- Confidence
- 72% confidence
- Finding
- The database path is controlled via the CLAWVALUE_DATA_DIR environment variable, and the schema includes a config_snapshots table for runtime configuration details such as model, heartbeat interval, sandbox status, tools profile, and channels. For a skill described primarily as generating a themed AI capability valuation report, this level of configuration handling is not obviously required from the manifest alone.
Description-Behavior Mismatch
Medium
- Confidence
- 95% confidence
- Finding
- The manifest describes a gamified assessment/report experience, but this module performs broad local data collection from /tmp/openclaw, ~/.openclaw/workspace/skills, and ~/.openclaw/openclaw.json. Reading operational logs, enumerating installed skills, and extracting configuration details is materially broader behavior than the user-facing description suggests.
Context-Inappropriate Capability
Medium
- Confidence
- 90% confidence
- Finding
- Beyond computing usage-style metrics, the module collects primary model, heartbeat interval, sandbox status, channel names, subagent configuration, and scans all skills in the workspace. That environment profiling goes beyond what is obviously necessary for generating a lighthearted capability score unless explicitly disclosed as part of the skill's purpose.
Description-Behavior Mismatch
Medium
- Confidence
- 96% confidence
- Finding
- The manifest describes a capability focused on quantifying AI automation ability and producing a fun evaluation report. This endpoint adds a distinct feature: calling an external image-generation service and downloading the resulting image to local storage, which goes beyond generating an assessment/report and is not implied by the stated purpose.
Context-Inappropriate Capability
Medium
- Confidence
- 94% confidence
- Finding
- For a skill whose stated purpose is assessing OpenClaw usage and producing a themed valuation report, invoking a third-party image API and then fetching the returned image URL is an unrelated network capability. This is not an obvious implementation detail of computing scores or generating mock/theme-based reports.
Context-Inappropriate Capability
Medium
- Confidence
- 92% confidence
- Finding
- The endpoint writes downloaded image content into the web static directory, creating persistent files on disk. Persistent file creation is not necessary for a usage-evaluation/reporting tool as described in the manifest and introduces an extra capability outside the apparent scope.
Intent-Code Divergence
Medium
- Confidence
- 98% confidence
- Finding
- The code at L882 states that production should not expose detailed errors, yet the refresh endpoint unconditionally returns both the raw error string and full traceback in API responses. This is an active contradiction between the code's documented intent and actual behavior.
Context-Inappropriate Capability
Medium
- Confidence
- 96% confidence
- Finding
- The skill is described as a fun AI capability valuation/report generator, but this code accepts the `clawJudge` query parameter and injects its decoded value into `innerHTML` for display. That gives the page an HTML/script injection surface driven by URL input, which is not justified by the stated purpose of generating evaluation reports and themes/mock-data presentation.
Missing User Warnings
Low
- Confidence
- 91% confidence
- Finding
- This is a markdown file, so SQP-2 applies to omissions in user-facing warnings. The README advertises AI image generation saved locally and one-click screenshot export, but it does not warn users that these features create files on disk or indicate where they are stored, which could affect user data and local storage expectations.
Missing User Warnings
Low
- Confidence
- 83% confidence
- Finding
- The markdown describes command-line data collection and API endpoints for stats, skills, sessions, and evaluation results, which implies processing and exposing usage-related data. There is no accompanying warning explaining what user or system data is collected, stored, or served, so users are not clearly informed about privacy-relevant behavior.
Natural-Language Policy Violations
Medium
- Confidence
- 94% confidence
- Finding
- The manifest description and the full SKILL.md content are presented only in Chinese, which effectively forces a specific language for users reading setup and usage instructions. Under the policy, locale or language constraints should either offer user choice or be clearly documented as justified for a region-specific tool; neither is stated here.
Natural-Language Policy Violations
Low
- Confidence
- 87% confidence
- Finding
- The file's natural-language content is entirely in Chinese, including the public-facing module description and usage guidance, with no indication that the skill supports other languages or that Chinese is a required locale. Under the policy, forcing a specific language without user opt-in can be a natural-language policy violation.
Natural-Language Policy Violations
Low
- Confidence
- 89% confidence
- Finding
- This Python file contains all user-facing comments and achievement names/descriptions in Chinese, with no indication that other languages are supported or that the user can choose a locale. Under the policy rule for language/locale, hard-coding a specific language without opt-in can be considered a natural-language policy violation.
Missing User Warnings
Medium
- Confidence
- 90% confidence
- Finding
- This code file performs safety-relevant local data access by collecting JSONL logs, scanning skill directories, and parsing the user's ~/.openclaw/openclaw.json configuration. Although the module docstring describes the purpose, there is no explicit user warning, confirmation, or privacy disclosure at the point of collection to inform users that potentially sensitive local data is being aggregated.
Natural-Language Policy Violations
Low
- Confidence
- 96% confidence
- Finding
- Natural-language strings throughout the module, including the top-level docstring and CLI output, are written in Chinese and the referenced documentation URLs are fixed to zh-CN. This imposes a specific language/locale on users without any evident mechanism to select another language or confirm that Chinese is appropriate.
Natural-Language Policy Violations
Low
- Confidence
- 87% confidence
- Finding
- This Python file contains user-facing natural-language text almost entirely in Chinese, including descriptions, labels, and achievement text. Under the policy for natural-language violations, forcing a specific language without user opt-in can be a locale-policy issue, and there is no indication here of user choice or a justified region-specific constraint.
Natural-Language Policy Violations
Medium
- Confidence
- 90% confidence
- Finding
- This Python file embeds its user-facing module description entirely in Chinese and continues that pattern throughout titles, messages, achievements, and printed output. Because the skill does not offer any language/locale selection or justify a Chinese-only audience, it creates a language-policy issue under the requirement to avoid forcing a specific language without user opt-in.
Natural-Language Policy Violations
Medium
- Confidence
- 95% confidence
- Finding
- The large set of user-visible messages, achievements, rankings, and titles are all fixed in Chinese, which means users are effectively forced into one locale. This is a natural-language policy violation unless the skill offers locale choice or clearly documents that it is a Chinese-only tool.
VirusTotal
64/64 vendors flagged this skill as clean.