Back to skill

Security audit

Foundry

Security checks across malware telemetry and agentic risk

Overview

Foundry is openly a self-modifying OpenClaw capability builder, but it needs review because it installs and activates external code, can change agent behavior, and learns from activity with limited scoping details.

Install only if you intentionally want a self-modifying OpenClaw development agent. Review the npm package and GitHub source first, pin a version if possible, use a separate test OpenClaw profile, disable auto-learning and marketplace publishing until configured, and require manual diff review before generated code or self-changes are enabled.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The skill’s security section claims that the user approves before any code is written to disk, but the installation flow explicitly says the plugin is downloaded, extracted, enabled, and the gateway restarted automatically. This mismatch can mislead users and agents about when code execution or persistence occurs, weakening informed consent and increasing the chance of unsafe installation of a self-modifying plugin.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger 'When the user asks to install Foundry or @getfoundry/foundry-openclaw, run this command' is broad enough that an agent may interpret ordinary conversational requests as authorization to execute a package installation command. Because installation fetches code from an external source and enables it automatically, ambiguous triggering increases the risk of unintended plugin installation.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The configuration enables automatic learning from agent activity, experience, GitHub, and arXiv sources, but the skill description does not prominently warn that operational data and externally sourced content may be ingested automatically. In a self-writing extension, silent learning from activity can expose sensitive context, propagate tainted data into future behavior, and reduce operator awareness of data-handling risks.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill advertises self-modification and generation of extensions, hooks, and skills without a clear warning that it can alter local capabilities and system behavior. In context, this is more dangerous because the plugin is explicitly designed to write code into itself and other components, so understated disclosure can lead users or agents to authorize changes that materially affect system integrity and persistence.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.