Skill

Security checks across malware telemetry and agentic risk

Overview

AgentShield appears purpose-aligned as a security monitor, but installation makes persistent and blocking changes to the user's OpenClaw environment that deserve manual review.

Install only after reviewing install.sh and deciding that you want a persistent local security daemon that can block OpenClaw tool calls. Treat the OpenClaw plugin install and timeout_policy=block setting as high-impact changes, keep the generated auth token private, and enable OpenAI or Anthropic triage only if you accept sending security event details outside your machine.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 94% confidence
Finding: The skill advertises shell-capable installation and management behavior (`install.sh`, `go build`, `curl`, service commands) while the metadata declares no permissions. This creates a transparency and policy-enforcement gap: users or platforms may treat the skill as lower risk than it is, despite its ability to execute local commands, modify files, and manage services.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 97% confidence
Finding: The description frames the skill as a security monitoring component, but the documented behavior includes software installation, downloading/building binaries, persistent service registration, configuration patching, token injection, and cleanup logic. That mismatch is dangerous because it can mislead reviewers and users about the operational footprint and trust boundary changes introduced by the skill.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The installer performs side effects on a separate tool ecosystem by installing and configuring an OpenClaw plugin, which exceeds a narrowly scoped engine install and changes the user's agent execution environment. This is risky because it silently expands trust to an npm-delivered plugin and modifies security-relevant settings such as endpoint, auth token, and blocking behavior without explicit opt-in.

Intent-Code Divergence

Low

Confidence: 90% confidence
Finding: The function name/comment suggests only configuration patching, but it also installs code into OpenClaw from npm. This mismatch reduces transparency and undermines informed consent, making it easier for users or automation to accept broader changes than expected.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The README states that suspicious events may be sent to OpenAI or Anthropic for triage, but it does not clearly warn that event contents may contain sensitive tool-call data, prompts, commands, file paths, or other user context. This omission can cause unintended third-party data disclosure, especially in a security-monitoring product that may inspect sensitive activity.

Session Persistence

Medium

Category: Rogue Agent
Content: # Build from source go build ./cmd/agentshield/ # Create directory structure mkdir -p ~/.agentshield/rules # Clone rules
Confidence: 90% confidence
Finding: Create directory structure mkdir -p ~/.agentshield/rules # Clone rules git clone --depth 1 https://github.com/agentshield-ai/sigma-ai.git ~/.agentshield/rules # Generate auth token openssl rand -hex

Session Persistence

Medium

Category: Rogue Agent
Content: **macOS (launchd):** ```bash launchctl load ~/Library/LaunchAgents/ai.agentshield.engine.plist launchctl unload ~/Library/LaunchAgents/ai.agentshield.engine.plist tail -f ~/.agentshield/engine.log ```
Confidence: 96% confidence
Finding: launchctl load

Session Persistence

Medium

Category: Rogue Agent
Content: **macOS (launchd):** ```bash launchctl load ~/Library/LaunchAgents/ai.agentshield.engine.plist launchctl unload ~/Library/LaunchAgents/ai.agentshield.engine.plist tail -f ~/.agentshield/engine.log ```
Confidence: 96% confidence
Finding: plist

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal