ClawHub
Back to skill

Security audit

prompt-optimizer

Security checks across malware telemetry and agentic risk

Overview

This skill is not malware, but it persistently changes agent memory so future requests may be automatically rewritten and executed without clear per-use consent.

Install only if you want global prompt-optimization rules to affect future OpenClaw behavior. Back up and review agent-notes.md, prefer merge mode over overwrite, and use explicit wording such as asking to show the optimized prompt first for sensitive, external, or side-effecting work.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (10)

Intent-Code Divergence

Medium
Confidence
82% confidence
Finding
The rule set presents itself as improving transparency, but elsewhere it mandates hidden prompt optimization and default direct execution. That mismatch can mislead users about when the system is transforming their request or acting without explicit approval, which increases the risk of unintended actions and weakens informed consent.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The invocation examples are generic, everyday requests like writing an article or researching competitors, which makes it unclear when this skill should activate versus when the base assistant should respond normally. In an agent ecosystem, overly broad activation scope can cause unintended routing, prompt rewriting, or hidden policy application to ordinary user queries, reducing transparency and potentially altering outputs in ways the user did not request.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The manual install instructions direct users to copy a rules file into `~/.openclaw/workspace/memory/agent-notes.md`, which is a persistent memory location likely to influence future agent behavior. This modifies durable user state without clearly warning that existing notes may be overwritten or that the skill will persist beyond the current task, creating a prompt-persistence and configuration-tampering risk.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The merge-mode instructions append content to `agent-notes.md`, permanently altering the agent's memory/rule set in a cumulative way. Even with a backup step, the document does not clearly explain the security implications of persistent prompt injection, rule conflicts, or unintended long-term behavior changes across future sessions.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The automatic mode-selection keywords are broad and overlap with normal user language such as 'design', 'analysis', or 'summary'. This can cause the agent to silently choose stronger execution paths or multi-agent workflows than the user intended, creating authorization and reliability risks.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The document's core principle explicitly directs hidden optimization and direct execution without confirmation. In an agent skill, this is dangerous because it normalizes acting on transformed instructions without ensuring the user understands what will be done, which can lead to unintended external actions, unsafe content generation, or policy bypass through prompt rewriting.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The manifest description advertises a very broad capability ('let AI automatically complete professional-grade prompt reconstruction') without defining clear activation boundaries, user consent expectations, or task scope. In a skill that installs rules into persistent agent memory and supports agent routing, this ambiguity can cause over-invocation or inappropriate application of prompt-rewriting behavior across unrelated tasks, increasing the chance of unsafe instruction shaping.

Natural-Language Policy Violations

Medium
Confidence
81% confidence
Finding
The description hardcodes Chinese-language behavior ('用户说人话即可', Chinese-facing product copy) without indicating locale negotiation, user preference handling, or multilingual fallback. This can lead to unexpected language coercion, misinterpretation of user intent, and unsafe transformations if prompts are rewritten in a language the user did not request, especially for security-sensitive or high-precision tasks.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The test input "调研一下 Notion 竞品" is a generic user request rather than a uniquely scoped activation phrase, so it could overlap with normal conversation and unintentionally trigger the skill. In an agent-routing or prompt-matching system, broad triggers increase the chance of misfires, causing the wrong skill to run on ordinary user input and potentially altering behavior without clear user intent.

Ssd 3

Medium
Confidence
89% confidence
Finding
The badcase workflow instructs collecting user corrections, reviewing interactions, and updating memory, which creates a retention channel for potentially sensitive user data. Without minimization, consent, retention limits, and access controls, these records can leak private information or be reused inappropriately across sessions.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.