Security audit

six

Security checks across malware telemetry and agentic risk

Overview

This is a content-only reference skill about the number 6 that openly includes Chen Lang profile and project information, with no executable behavior or system access.

Install only if you are comfortable with a reference skill that may answer with Chen Lang profile details, an email address, and OpenClaw promotional project information in addition to number-6 cultural material. There is no evidence of executable code, persistence, local data access, or system-level authority.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The usage instructions explicitly say the skill should answer not only number-6 cultural questions but also '陈朗的个人资料' and 'OpenClaw 项目矩阵'. That broadens activation beyond the declared numeric-cultural scope and can cause the agent to surface unrelated profile and promotional content when users ask general questions about Chen Lang, creating scope creep and unintended disclosure/advertising behavior.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The skill embeds personal contact information, including a direct email address, and its usage instructions authorize providing that profile information on request. This increases the risk of unnecessary disclosure, contact harvesting, spam, and targeted social engineering, especially because the personal profile is mixed into a largely unrelated cultural-number skill.

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal