Octo Mention

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed local tool for building and querying sensitive group-member nickname mappings, with no hidden network access or automatic execution found.

Install only if you are comfortable maintaining a sensitive local identity and alias database for group members. Keep the generated openclaw.json/openclaw.md private, avoid committing them, and restrict who can run lookup_alias.py or read the database because it can reveal member identities, aliases, group context, and supporting message evidence.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: This CLI prints direct alias-to-UID/canonical-name mappings, group membership context, and confidence metadata with no access control, consent check, or warning about the sensitivity of the data. In the context of this skill, the entire purpose is to maintain and query identity mappings for group members, so exposing the lookup results to any caller can enable privacy violations, deanonymization, and social graph inference.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal