ai-report

Security checks across malware telemetry and agentic risk

Overview

This is a local AI work-report generator; its main risk is that it may summarize private memory notes into saved local reports.

Install this only if you want OpenClaw to turn local memory or diary entries into saved report files. Check whether automatic session-end generation is enabled, review generated reports before sharing them, and avoid putting secrets in memory files that may be summarized.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The manual trigger phrases are broad natural-language requests such as writing today's daily report or this week's weekly report, which can easily overlap with ordinary user conversation. In an agent environment, this creates a risk of unintended activation that may cause the skill to collect conversation-derived memory and generate or save reports without the user clearly intending to invoke the skill.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill states it will automatically scan memory files and archive generated reports, but the description does not warn users that conversation-derived content may be read and persisted to disk. This is dangerous because users may unknowingly expose sensitive discussion content, internal decisions, or personal data through automated summarization and storage, especially when auto-triggering at session end.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal