Back to skill

Security audit

Skill Analyst Zh

Security checks across malware telemetry and agentic risk

Overview

This looks like a skill-review helper with somewhat broad trigger wording, but there is no evidence of hidden access, persistence, credential use, or harmful behavior.

Install only if you want a Chinese-language assistant for OpenClaw skill review. Prefer invoking it explicitly for skill analysis, and check any suggested CLI commands before execution.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger phrases are broad natural-language requests such as '这个skill值得装吗' and '能发布吗', which can match common conversational text and cause the skill to activate outside the user's intended context. Because this skill performs repository/skill inspection workflows and may invoke local CLI tools, unintended activation can lead to unnecessary command execution, disclosure of local skill metadata, or confusing cross-trigger behavior in multi-skill environments.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.