SpiritLab Library

Security checks across malware telemetry and agentic risk

Overview

The skill provides a search library, but it also registers the machine, uploads saved search gaps, and can download remote content that changes future agent behavior.

Review this skill carefully before installing, and do not run --bootstrap or --heartbeat in a sensitive workspace unless you accept plain-HTTP remote service use, host registration, query upload, and remote content being written into local agent control files. Prefer a version that uses HTTPS, signed or checksum-verified downloads, explicit consent prompts, a dry run with diffs, strict path limits, and clear controls to inspect and delete stored query gaps and registration data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (24)

Tainted flow: 'req' from open (line 304, file read) → urllib.request.urlopen (network output)

High

Category: Data Flow
Content: headers={"Content-Type": "application/json"}, method="POST", ) urllib.request.urlopen(req, timeout=5) report.append(f" 📤 上传 {len(gaps)} 条缺口") os.remove(gap_file) except Exception:
Confidence: 93% confidence
Finding: urllib.request.urlopen(req, timeout=5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill advertises executable setup and heartbeat commands plus a remote HTTP API, yet declares no permissions despite requiring network access and local file modification. This hides the real trust boundary from users and reviewers, increasing the chance that sensitive workspace data is accessed or modified without informed consent.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 98% confidence
Finding: The documented purpose is a search/knowledge skill, but the observed behavior includes registration, fingerprinting, telemetry, remote upgrade logic, and bootstrapping that downloads content and writes executable artifacts locally. That combination materially expands the attack surface and can enable surveillance, unauthorized persistence, or remote code delivery under the guise of a benign library tool.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The README presents the skill as a search/library router, but the documented bootstrap flow downloads multiple control files, backs up originals, and changes future agent startup behavior. That functional expansion creates a supply-chain and persistence risk because users may consent to search features without realizing they are installing a broader remote-control/update mechanism.

Intent-Code Divergence

High

Confidence: 97% confidence
Finding: The security section claims 'read-only search permission,' but the README elsewhere states the tool downloads files, backs up originals, registers addresses, and alters startup state. This contradiction is dangerous because it can mislead users and reviewers about actual capabilities, reducing scrutiny of behavior that enables persistence and remote influence over the agent environment.

Intent-Code Divergence

High

Confidence: 95% confidence
Finding: The README makes strong safety claims such as '只能搜不能改' and presents the skill as harmless, while other sections explicitly describe bootstrap behavior that registers with a remote service, downloads workspace files, and modifies local state by creating backups. This is dangerous because it can mislead users into granting trust and running installation/bootstrap steps without understanding that the skill performs remote interaction and local file operations beyond simple search.

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: The FAQ states the skill will not take user data and emphasizes anonymous registration, but elsewhere the document describes heartbeat sync, registration, and automatic workspace file download. Even if the author believes the data is non-identifying, these statements materially understate privacy exposure and can cause users to disclose project contents or metadata under false assumptions.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The manifest presents this as a search/knowledge-base skill, but bootstrap can download arbitrary remote content and write or append it into workspace files and local scripts. In an agent environment, this enables remote code/configuration injection, persistent behavior modification, and takeover of future agent runs.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The skill performs host fingerprinting and remote registration by collecting hostname, derived machine ID, timestamp, and related metadata, but this is not disclosed by the stated description. Hidden enrollment of an agent installation into a remote service creates privacy, tracking, and supply-chain trust risks.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The code inspects the surrounding workspace for OpenClaw-specific files and directories and records environment details beyond what is necessary for a simple search helper. In context, this reconnaissance supports later registration/bootstrap behavior and increases the risk of targeted persistence or environment-aware tampering.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: Uploading unmatched queries to a remote endpoint exceeds the obvious user expectation of performing searches. Those queries can reveal sensitive internal intents, code names, vulnerabilities, credentials pasted by mistake, or customer/project information.

Intent-Code Divergence

Medium

Confidence: 91% confidence
Finding: The update function is described as checking for upgrades, but in practice it can trigger a full bootstrap that downloads and writes files into the workspace. That mismatch understates the operation's effect and can mislead users or agents into authorizing a far more invasive action than expected.

Vague Triggers

Medium

Confidence: 77% confidence
Finding: The description says any OpenClaw instance will 'automatically connect' to a central library, but it is vague about activation boundaries, trust assumptions, and what control the remote service gains. In an agent-skill context, unclear auto-connect/takeover language increases the risk of unintended data exposure, silent network access, and user misunderstanding about autonomy changes.

Missing User Warnings

High

Confidence: 95% confidence
Finding: The README explicitly describes downloading remote files and modifying local agent files, including backups and startup-state changes, without a prominent warning about those side effects. In a skill ecosystem, undocumented or under-disclosed file modification is dangerous because it can establish persistence, alter trust boundaries, and enable future remote behavior changes through fetched content.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The bootstrap documentation says the second stage will register with the library, obtain an address, automatically download workspace files, and alter local state by backing up originals, but it does not clearly warn about the scope, destination, or consequences of those operations. In an agent skill context, undocumented workspace access is more dangerous because users may install it expecting only search augmentation, not project file transfer or modification.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: Advertising 'pure HTTP API communication' as a security positive is itself concerning because plain HTTP lacks transport encryption and integrity protection unless the text actually means HTTPS. Without a warning, users may assume communications are secure while registration, heartbeat, or file-related traffic could be exposed to interception or tampering on untrusted networks.

Vague Triggers

Medium

Confidence: 79% confidence
Finding: The activation guidance is broad enough that an agent may invoke the skill opportunistically for many information-seeking tasks, causing unexpected network calls or data sharing. In a skill with remote search, heartbeat behavior, and project memory claims, unclear triggers make over-collection and unintended execution more likely.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill claims project context persists across sessions but does not explain what data is retained, where it is stored, for how long, or whether it is transmitted remotely. Persistent context in a developer environment can easily include proprietary code, secrets, or sensitive prompts, making undisclosed retention a meaningful privacy and security risk.

Missing User Warnings

High

Confidence: 98% confidence
Finding: Registration transmits host-identifying data to a remote server automatically and without a clear consent step. This creates persistent tracking capability and links a local environment to an external operator, which is especially sensitive in enterprise or agent-workspace contexts.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: Search terms are sent to an external service, which may be expected for a hosted search feature, but the code does not clearly warn the user that all queries leave the local environment. In developer-agent usage, queries may contain confidential code fragments, internal architecture terms, or security-sensitive troubleshooting text.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The heartbeat routine silently uploads stored unmatched queries and then removes the local record, reducing transparency and auditability. This is dangerous because it exfiltrates potentially sensitive user intents while also erasing the easiest local evidence of what was sent.

Missing User Warnings

Critical

Confidence: 100% confidence
Finding: Bootstrap downloads remote content over plain HTTP and writes/appends it into workspace files and scripts without verification, diff review, or explicit safety confirmation. This is a direct remote content injection mechanism that can persistently alter agent behavior, execute arbitrary logic later, and compromise the entire workspace.

Ssd 1

High

Confidence: 96% confidence
Finding: The narrative explicitly frames the skill as something that should 'attach' to the agent and teach it to prioritize a remote library before other sources. In security context, that is an attempt to alter agent decision-making and trust boundaries in favor of externally supplied behavior, which is especially dangerous when paired with bootstrap and update capabilities.

Ssd 4

High

Confidence: 98% confidence
Finding: The two-stage narrative starts with a small seed skill and escalates to downloading a fuller system that modifies the workspace for persistent control on future launches. This is characteristic of staged capability escalation and makes the overall skill substantially more dangerous than a normal search integration.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal