ClawHub
Back to skill

Security audit

Agent Skills Setup

Security checks across malware telemetry and agentic risk

Overview

This is a real cross-IDE skill migration helper, but it can install software and persistently rewrite or delete skill/configuration files across multiple IDE environments.

Install only if you deliberately want a tool that can manage skills across IDEs. Run dry-run modes first, verify every source and target path, keep backups, avoid overwrite or mirror-delete modes unless you accept removals, and treat the OpenClaw auto-config helper as high trust because it may execute remote installers and metadata-declared dependency installs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (17)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill instructs the agent to run shell scripts and access environment-specific paths, but it does not declare any permissions or safety boundaries. That mismatch can cause an agent or user to execute filesystem-modifying commands without clear authorization or review expectations.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script downloads and executes a remote installer via `curl | bash`, giving the remote server immediate code execution on the host. In a skill whose stated purpose is setup guidance and configuration, bundling unsandboxed remote execution materially expands trust and attack surface beyond what a user would reasonably expect.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The script installs software through brew, npm/pnpm/yarn/bun, go, uv, and direct downloads based on skill metadata parsed from `SKILL.md`. This creates a metadata-driven execution path where modifying skill metadata can trigger installation of arbitrary external packages or binaries, which is excessive for a setup-instructions skill and increases supply-chain risk.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The config patcher reads the existing config file and evaluates it with `Function(... )()`, which treats file contents as executable code rather than data. If an attacker can influence `openclaw.json`, running this script will execute arbitrary JavaScript with the user's privileges.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The activation rule triggers on a broad phrase like IDE migration, which can match ordinary discussion and steer the agent into proposing or initiating migration workflows unnecessarily. In this skill, that broad trigger is more dangerous because the workflow quickly escalates to shell commands that copy and overwrite user files.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation states that sync operations remove extra skills from mirror targets to enforce exact parity, but it does not foreground that this can delete existing content. Because the skill targets user home directories and shared IDE configuration locations, an unsuspecting user could lose custom skills or agent configuration.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The one-command migration block performs bulk directory creation and recursive copies across multiple global config locations without a prominent safety warning or verification step. A user or agent following it may overwrite or pollute several IDE environments at once, making mistakes broad and hard to roll back.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The file states that Antigravity uses the skill description in `SKILL.md` for implicit invocation, but it provides no guardrails on scope, specificity, or safety boundaries. In a skill-installation and migration context, overly broad descriptions can cause unintended automatic triggering of powerful skills across repositories, increasing the chance of prompt injection, unsafe automation, or execution of the wrong workflow.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The migration examples perform bulk recursive copies of skill directories between agent locations without any overwrite checks, conflict detection, or warning about importing executable `scripts/` content. In a skill ecosystem where copied content may later be auto-loaded or trusted by IDE tooling, blindly duplicating all files can propagate unsafe or malicious skills across environments and overwrite a safer local version.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script uses `rsync -a --delete` to mirror skill directories, which can remove files in destination paths without any explicit warning, preview, or confirmation. If a workspace or managed directory is mis-specified, the script can destructively delete user data or project files.

Missing User Warnings

High
Confidence
99% confidence
Finding
Fetching and piping a remote script directly into `bash` executes unaudited code without integrity verification or an informed user checkpoint. This is especially risky in an automation skill because users may run it expecting local configuration changes, not arbitrary code from the network.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script supports an overwrite mode that deletes an existing target skill directory with rm -rf before copying replacement content, but it does not present an explicit warning or interactive confirmation at the point of deletion. In a migration tool that operates on user home directories and IDE config locations, this increases the chance of accidental destructive data loss from operator error or unexpected path resolution.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script wraps rsync with `-a --delete`, which will remove files from each destination that are not present in the source. Because the default target paths are global skill directories under the user's home directory and the script automatically creates and mirrors them, a normal invocation can silently delete unrelated or manually added content if the destination path is wrong, repurposed, or contains extra files. In this skill context, the danger is increased because it operates across multiple global IDE/agent directories, amplifying accidental destructive impact.

Self-Modification

High
Category
Rogue Agent
Content
| Strategy | Behavior |
|----------|----------|
| `backup` | Create timestamped backup before overwriting (default) |
| `overwrite` | Replace existing files without backup |
| `skip` | Skip existing files, only copy new ones |

### 7.6 Example Workflows
Confidence
93% confidence
Finding
Replace existing file

Session Persistence

Medium
Category
Rogue Agent
Content
When installing a new skill:

1. **Determine Scope**: Should this be Global (all projects) or Project-level (shared in repo)?
2. **Create Directory**: Navigate to the appropriate path above and create the `<skill-name>` folder.
3. **Draft SKILL.md**: Ensure the `description` is comprehensive, as it is the primary trigger for ALL agents.
4. **Agent-Specific Polish**: 
    - For OpenClaw, decide whether the skill belongs in shared `~/.openclaw/skills/` or an individual agent workspace `skills/` folder, and configure `skills.entries` / `agents.list` as needed
Confidence
89% confidence
Finding
Create Directory**: Navigate to the appropriate path above and create the `<skill-name>` folder. 3. **Draft SKILL.md**: Ensure the `description` is comprehensive, as it is the primary trigger for ALL

Session Persistence

Medium
Category
Rogue Agent
Content
# === To Trae (International) ===
for dir in ~/.gemini/antigravity/skills/*/; do
    skill_name=$(basename "$dir")
    mkdir -p ~/.trae/skills/$skill_name
    cp -r "${dir}"* ~/.trae/skills/$skill_name/
done
Confidence
92% confidence
Finding
mkdir -p ~/.trae/skills/$skill_name cp -r "${dir}"* ~/.trae/skills/$skill_name/ done # === To Trae CN (China) === for dir in ~/.gemini/antigravity/skills/*/; do skill_name=$(basename "$dir")

Session Persistence

Medium
Category
Rogue Agent
Content
### One-command migration to all agents

```bash
# Create all target directories
mkdir -p ~/.trae/skills ~/.trae-cn/skills ~/.copilot-skills ~/.claude/skills ~/.codex/skills ~/.openclaw/skills

# Copy to all agents
Confidence
95% confidence
Finding
Create all target directories mkdir -p ~/.trae/skills ~/.trae-cn/skills ~/.copilot-skills ~/.claude/skills ~/.codex/skills ~/.openclaw/skills # Copy to all agents for dir in ~/.gemini/antigravity/ski

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal