Security audit

Painpoint Discovery Expert

Security checks across malware telemetry and agentic risk

Overview

This is a transparent research helper that uses browser searches to produce startup painpoint reports, with no code execution or credential access.

Install only if you want browser-based market research. Avoid using confidential business plans, customer names, or private internal topics as search queries, and treat the generated business ratings as preliminary research that needs real-world validation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (4)

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The README states that OpenClaw 'automatically calls this skill' when a user says broad phrases like 'find painpoints in X', which can overlap with ordinary exploratory requests and cause unintended skill activation. Broad auto-routing increases the chance that the agent performs web research or structured analysis without explicit user consent for tool use, creating control and safety issues even if the skill itself is not overtly harmful.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The subagent mode description says OpenClaw may spawn an independent subagent for 'deep research' based on a loosely defined request, but it does not specify strict trigger constraints, approval requirements, or resource limits. This ambiguity can lead to unintended delegation, excessive tool usage, and longer-running autonomous behavior than the user expected.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The skill’s trigger description is broad enough that it could activate on loosely related requests, causing the agent to enter browser-based research and scraping workflows when the user did not clearly intend to invoke this capability. In a browsing skill, unintended invocation increases the chance of unnecessary web access, over-collection of third-party content, and off-task behavior, even though the skill is not overtly malicious.

Vague Triggers

Medium

Confidence: 96% confidence
Finding: The quick-start invocation phrase is generic and can match common user language such as 'find painpoints in X domain' without verifying that the user wants web scraping, market analysis, or startup-oriented research. Because the workflow immediately proceeds into multiple searches and page scraping, an accidental match could trigger unnecessary external browsing and data collection beyond the user’s intended scope.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal