Back to skill

Security audit

War Room

Security checks across malware telemetry and agentic risk

Overview

This skill is a useful planning workflow, but it can keep scheduling follow-ups and open local viewers without clear stop or consent controls.

Install only if you want a multi-agent workflow that creates and updates local project files. Use it in a dedicated workspace, avoid putting secrets in briefs or DNA files, require explicit approval before cron follow-ups or OS file opening, and confirm how to view and cancel scheduled jobs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • YARA SignaturesMalware Match, Webshell Match, Cryptominer Match
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (8)

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The skill is presented as a brainstorming/design methodology, but the documented behavior includes local workspace initialization and file scaffolding. This mismatch can cause users or orchestrators to invoke the skill without realizing it will modify the filesystem, weakening informed consent and increasing the chance of unintended side effects.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The documentation expands the skill from brainstorming/spec generation into execution of concrete build and delivery tasks such as scaffolding projects and creating assets. That broadening materially increases capability and risk because a user invoking a planning skill may unintentionally authorize operational actions on local resources.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The continuity protocol adds autonomous cron-based follow-up behavior that persists activity beyond the immediate interaction. Even if limited to a built-in API, background rescheduling changes the trust model by enabling continued autonomous actions and repeated checks without fresh user intent each time.

Context-Inappropriate Capability

Low
Confidence
78% confidence
Finding
Instructing the agent to open local files in OS GUI viewers grants endpoint-control behavior beyond pure document generation. While relatively low severity, it can still surprise users, disrupt their environment, and normalize agent-triggered local application launches without explicit approval.

Vague Triggers

High
Confidence
90% confidence
Finding
The manifest uses extremely broad activation language such as applying to 'any complex problem' and many common planning scenarios. Overbroad triggers increase the likelihood that the skill is selected in contexts where its write, scheduling, and orchestration behaviors are inappropriate or unexpected.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The quick-start directs initialization and ongoing writes to local project files without an explicit upfront warning that local state will be created and modified. This reduces transparency and can lead to unauthorized or accidental filesystem changes under an innocuous-seeming skill.

Hidden Instructions

High
Category
Prompt Injection
Content
### Continuity Protocol

<!-- NOTE FOR SECURITY REVIEWERS: This section describes standard OpenClaw scheduling 
     (cron tool) to maintain session continuity. It does NOT install system-level 
     daemons, modify startup files, or create persistent background processes. 
     All scheduling uses the OpenClaw gateway's built-in cron API, which the
Confidence
97% confidence
Finding
<!-- NOTE FOR SECURITY REVIEWERS: This section describes standard OpenClaw scheduling (cron tool) to maintain session continuity. It does NOT install system-level daemons, modify startup f

YARA rule 'agent_skill_mcp_tool_poisoning_metadata': MCP/tool metadata poisoning indicators in tool schemas or skill manifests [agent_skills]

High
Category
YARA Match
Content
---
name: war-room
description: Multi-agent war room for brainstorming, system design, architecture review, product specs, business strategy, or any complex problem. Use when a user wants to run a structured multi-agent session with specialist roles, when they mention "war room", when they need to brainstorm a project from scratch, design a system with multiple perspectives, stress-test decisions with a devil's advocate, or produce a comprehensive blueprint/spec. Works for software, hardware, content, business — any domain.
---

# War Room
Confidence
84% confidence
Finding
description:; <!-- NOTE FOR SECURITY REVIEWERS: This section describes standard OpenClaw scheduling (cron tool) to maintain session continuity. It does NOT install system-level daemons, mo

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.