Back to skill

Security audit

project-factory

Security checks across malware telemetry and agentic risk

Overview

This is a real project scaffolding skill, but it can change global OpenClaw configuration, register agents and cron jobs, copy main-agent auth profile files, and store Telegram tokens in project files.

Install only if you intentionally want a scaffolding skill that can modify your OpenClaw workspace, shared Telegram routing, assistant registry, and cron jobs. Use --plan or --dry-run first, review changes to ~/.openclaw/openclaw.json and config/project_routing.json, avoid inheriting main-agent auth profiles unless that is intended, and use project-specific bot credentials that can be rotated.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (21)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill documentation describes shell, file read, and file write capabilities but does not declare corresponding permissions or clearly scope them. This creates a transparency and consent problem: an agent invoking the skill may perform filesystem and command execution side effects that are not obvious from the permission model.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The documented purpose is a scoped project-bootstrap workflow, but the skill also describes global administrative actions such as modifying ~/.openclaw state, registering agents, editing routing, validating existing projects, and changing cron jobs. This mismatch is dangerous because users may consent to 'bootstrap a new project' while unintentionally authorizing broader workspace-wide changes.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill is framed as a bootstrap tool, yet it also includes maintenance and administrative operations over existing projects and shared cron state. Expanding from creation into repair, validation, and global management increases the blast radius and can lead to unintended modifications outside the user's immediate task.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Global cron enumeration and deletion are powerful administrative capabilities unrelated to simply scaffolding a new project. If misused, they can reveal operational details across projects or disable unrelated automations, causing denial of service and cross-project impact.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The checklist instructs operators to invoke a different skill (`content-pipeline`) than the declared `project-factory` skill, creating a clear skill/behavior mismatch. In an agentic environment, this can misroute execution, trigger the wrong automation path, and cause users to provide credentials or configuration to an unintended workflow.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The file claims the bootstrap generates a fixed set of content-pipeline-specific artifacts and operational files that are not supported by the manifest's generic project-creation description. This expands the apparent authority of the skill and may cause downstream agents or operators to assume the skill is permitted to scaffold sensitive operational components beyond its intended scope.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The checklist asks for Telegram bot tokens, chat IDs, thread IDs, data-source endpoints, and WeChat/Clash-related configuration before a supposedly generic bootstrap flow. This is dangerous because it normalizes collection of live credentials and infrastructure details that are unnecessary for many project types, increasing the risk of over-privileged setup, accidental secret exposure, or misuse if the skill is triggered in the wrong context.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The checklist directs users to run operational scripts, verify shared routing, and register or inspect cron jobs, which exceeds a design/bootstrap role and crosses into active system operations. In the context of an agent skill, this broadens the skill's effective permissions and can lead to unintended execution, modification of shared infrastructure, or persistence mechanisms being set up under the guise of project creation.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The script presents itself as a project bootstrapper but also exposes unrelated cron administration functions. Expanding a provisioning tool into an operations console increases blast radius and violates least privilege, making accidental or unauthorized system-wide changes more likely.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The --cron-remove path can delete any OpenClaw cron job by arbitrary ID, with no ownership, scope, or confirmation checks. In a bootstrap skill this is unjustified privilege and could be abused to disable unrelated automations across the installation.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Importing and exposing an all-projects health check gives this bootstrap tool visibility into the entire projects tree, exceeding its declared purpose. That broader access increases the chance of unintended disclosure or misuse of cross-project operational data.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The script can enumerate all cron jobs in the OpenClaw installation and map them to projects, which discloses system-wide scheduling metadata unrelated to bootstrapping a single project. Such inventory functionality is valuable to an attacker for reconnaissance and should not be bundled into a setup helper.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The docstring materially understates the script's behavior by describing only project bootstrapping while the code also edits global OpenClaw config and scheduler state. Misleading capability descriptions reduce operator awareness and can cause privileged side effects to be invoked unexpectedly.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
This script goes beyond bootstrapping a local project and performs upgrade actions that modify shared state, including global routing and agent configuration under ~/.openclaw. In a skill that may be invoked for creating or upgrading a project, this creates a wider-than-expected trust boundary and can silently reconfigure other operational surfaces, increasing the blast radius of a mistaken or malicious invocation.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The functions in this region modify user-wide OpenClaw agent registration and Telegram group/topic routing, including creating agent runtime files, registering assistants, and rebinding topic handlers. Because these are global configuration surfaces unrelated to simple scaffolding, a project upgrade can unexpectedly alter message routing, persistence, and agent behavior across the environment, which is especially risky in an automation platform.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger phrases are broad enough to match ordinary discussion about starting or designing projects, which can cause the skill to activate outside clearly intended contexts. Because this skill can scaffold files and register routing or cron-related components, accidental invocation could lead to unintended workspace modifications or automation setup based on casual user language.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README states that the skill generates a full project scaffold and creates directories and configuration artifacts, but it does not clearly warn users that invoking the skill may modify the workspace. In this context, the omission is risky because users may trigger the skill without understanding that it can create files, alter project structure, or prepare integrations such as routing and cron registration.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger language is broad enough to activate on ordinary discussion about projects or automation, not just explicit requests to run the skill. For a skill that can write files and mutate config, over-broad invocation increases the risk of accidental execution and unintended side effects.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation explains bootstrap commands that can write files, modify config, register agents, and create cron jobs, but it does not prominently warn users about those side effects. In a skill with system-modifying behavior, missing safety disclosures can lead to uninformed consent and accidental persistent changes.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill collects sensitive values such as bot tokens and chat identifiers without a privacy or secret-handling warning. In practice, prompting for credentials inside a conversational workflow can lead to accidental disclosure, logging, or reuse of secrets beyond the minimum necessary context.

Credential Access

High
Category
Privilege Escalation
Content
| `--validate-only <path>` | 对已有项目做 8 项体检。不修改任何文件。 |
| `--fix-suggestions` | 随 `--validate-only` 使用,输出每个 FAIL/WARN 的可粘贴修复代码块。 |
| `--fix-dry-run` | 随 `--validate-only` 使用,预览 `--fix` 的实际写入操作(带 backup 计划)。 |
| `--fix` | 对已有项目应用所有自动安全修复(创建缺失文件、补充 runtime.env 变量),exit 0 即成功。 |
| `--continue-from-fix <path>` | 在 `--fix` 成功后,补跑被 G-abort 跳过的 config 写入(routing、agent 注册、telegram 配置、cron 注册)。从项目目录读取配置,不需要完整参数。 |
| `--fix-and-continue <path>` | **推荐合并命令**。等于 `--fix` + `--continue-from-fix` 一次性完成:体检 → 自动修复 → 重体验 → 补跑 config 写入。FAIL 时中途 abort,不会污染 config。 |
| `--interactive` | **交互式引导**:分步收集所有参数,每步带验证(project_key 格式、chat_id 格式、cron 表达式等),收集完成后直接进入 bootstrap 流程(等同于 `--fix-and-continue`)。 |
Confidence
90% confidence
Finding
.env

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.