Skill 激活器

Security checks across malware telemetry and agentic risk

Overview

The skill is not malicious, but it should be reviewed because its normal scan can expose local identity/profile files and integration signals without a clear consent step.

Install only if you are comfortable with a local helper inspecting your OpenClaw skill directories, workspace identity/profile files, and configured-channel signals. Before running the scan, review SOUL.md, USER.md, and IDENTITY.md for secrets or private details, and avoid sharing the scan output unless you have checked it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (10)

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The document explicitly instructs the skill to scan the user's environment and infer identity/role before making recommendations. That expands the skill from simple recommendation logic into collection and profiling of potentially sensitive local context, with no visible limitation, consent step, or data-minimization guidance. In this skill context, role-based recommendations do not require unrestricted environment scanning, so the added capability is unnecessarily invasive.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The usage section directs execution of a local script, `scripts/scan_environment.sh`, to discover installed skills and user identity. Invoking an environment-scanning script creates a concrete path to collect more information than needed for recommendations, and the file provides no safeguards, review steps, or scope constraints. In an agent-skill ecosystem, this is risky because users may not realize the script can inspect local state and profile them.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The script reads and prints the first 30 lines of SOUL.md, USER.md, and IDENTITY.md directly to stdout. These files can contain sensitive personal or organizational information, and exposing their contents is not necessary for merely discovering installed skills or recommending automations. In the context of a skill activator, this capability is broader than needed and increases privacy risk because scan output may be logged, shared, or passed to other components.

Context-Inappropriate Capability

Low

Confidence: 82% confidence
Finding: The script recursively searches ~/.openclaw configuration files to infer which channels are configured. While it does not print secrets directly, it inspects global user configuration outside the workspace, which is not clearly required for the stated purpose of matching or activating skills. This broadens the data collection scope and may reveal connected platforms that users did not expect to be scanned.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The trigger phrases are broad and include generic terms such as "激活" and "scan my skills," which can cause the skill to activate in contexts where the user did not intend environment inspection or file access. In this skill’s context, unintended activation is more dangerous because activation can lead to scanning local identity and workspace data, not merely producing harmless recommendations.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The workflow directs the skill to read SOUL.md/USER.md/IDENTITY.md, connected channels, memory files, and heartbeat/workspace state without any upfront warning or consent prompt. Because these sources can contain personal profile data, behavioral context, integrations, and possibly sensitive operational details, the absence of a clear warning materially increases the chance of privacy-invasive data collection and accidental disclosure.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The file tells the skill to scan the user's environment and match identity to a role, but gives no privacy notice or warning that installed skills and role files may reveal sensitive personal or organizational information. Lack of disclosure undermines informed consent and increases the chance of silent profiling. Because this skill is positioned as a helpful recommender, users may be especially unlikely to expect privacy-sensitive analysis.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The instructions direct reading installed skills and role files via environment scanning without disclosing that these artifacts can expose personal identity, job function, projects, or organizational tooling. This omission creates a privacy and transparency failure even if the technical behavior is limited. In context, the danger is amplified because the guidance normalizes silent inspection as a standard setup step.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The script outputs potentially sensitive identity file contents without any explicit privacy notice, confirmation step, or redaction. Because the data is emitted to stdout, it can be captured in logs, terminal history, agent transcripts, or downstream tooling, creating an avoidable disclosure path. The skill context makes this more dangerous because users may invoke a benign-sounding 'scan' expecting recommendations, not content exfiltration from identity documents.

Missing User Warnings

Low

Confidence: 84% confidence
Finding: The channel scan inspects user configuration files under ~/.openclaw without an explicit privacy warning. Even though the script only reports whether certain platforms appear configured, this still discloses aspects of the user's environment and integrations, which may be sensitive in some operational contexts. For a skill whose description focuses on recommendation and activation, silent config inspection is more invasive than users are likely to expect.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal