Back to skill

Security audit

Hit Preview EN

Security checks across malware telemetry and agentic risk

Overview

This is a coherent script-analysis skill that may use configured AI provider keys and send the script to that provider, with no evidence of hidden persistence, destructive behavior, or unrelated data access.

Install this if you are comfortable with AI mode using your configured provider key and sending analyzed scripts to that provider. For confidential or unpublished scripts, unset provider API key environment variables so the local fallback is used.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill explicitly states it auto-reads OpenClaw configuration and uses configured third-party AI providers, but the documentation does not clearly warn that user-submitted scripts may be transmitted off-host to external services. This creates a real privacy and data-handling risk because users may assume analysis is local or may not realize provider selection is automatic.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
bundle-en.js:26