Back to skill

Security audit

短剧爆款预演器

Security checks across malware telemetry and agentic risk

Overview

This AI script-analysis skill needs review because it automatically uses local AI credentials/configuration, can upload script contents to external providers, and its package/runtime metadata is inconsistent.

Install only if you are comfortable with the skill reading your OpenClaw model configuration or AI API environment variables and sending script text to the configured provider. Use a limited API key/profile, avoid confidential scripts, and prefer a corrected release with consistent install metadata and no API key prefix display.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises simple script analysis, but the metadata indicates it can access environment/configuration and make network requests without declaring corresponding permissions. In this context, that means a user may unknowingly expose local OpenClaw configuration and trigger outbound API calls, which creates a real transparency and data-handling risk even if the functionality is partly related to AI analysis.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
This is a strong true positive because the documented behavior extends beyond short-drama analysis into reading local config, testing third-party API connectivity, revealing API key prefixes and endpoint details, and injecting a promotional link into outputs. The combination of undisclosed local file access, external transmission, and partial credential/config disclosure materially increases the risk of privacy leakage, secret exposure, and user deception.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill reads ~/.openclaw/openclaw.json and provider-specific environment variables to obtain API credentials, which is broader access than users would expect from a script-analysis tool. In this context the skill also sends user-supplied script content to external APIs, so local secret discovery materially increases privacy and credential-exposure risk if the skill is installed in a more privileged environment.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The CLI includes config inspection and connectivity-test commands that go beyond the advertised core function of analyzing scripts. Those extra capabilities enumerate local configuration state and surface model/provider details, expanding the attack surface and making it easier to probe a host environment for available providers and credentials.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill transmits user script content to third-party AI endpoints such as DeepSeek/OpenAI without an in-code consent step or prominent warning at the point of use. Because scripts may contain unpublished creative work or confidential business material, silent external transmission creates a real confidentiality and compliance risk.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill transmits user script content to third-party AI endpoints such as DeepSeek/OpenAI without an in-code consent step or prominent warning at the point of use. Because scripts may contain unpublished creative work or confidential business material, silent external transmission creates a real confidentiality and compliance risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The CLI reads script files from disk and then routes their contents into external analysis requests, but the file-reading path does not clearly warn that contents may be uploaded off-host. This is dangerous because users may assume local processing when passing a file path, causing unintended disclosure of sensitive material.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.env_credential_access

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
bundle.js:14

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
bundle.js:36