Security audit

culture

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a culture reference, but it embeds unrelated promotional links and contact information that could be surfaced during culture-related answers.

Install only if you are comfortable with a culture skill that also contains unrelated OpenClaw promotional material, external links, and a personal email address. It does not appear to run code or access your data, but users looking for a neutral culture reference should prefer a version with the promotional section removed.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Description-Behavior Mismatch

Medium

Confidence: 98% confidence
Finding: The skill is described as a cultural introduction skill, but the final section injects unrelated promotion, external links, branding, and direct contact information. This creates a prompt-injection and trust-abuse risk: an agent may surface or endorse these links to users under the guise of cultural assistance, enabling off-platform redirection, unsolicited marketing, or social engineering.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal