Security audit

Lexi

Security checks across malware telemetry and agentic risk

Overview

This filesystem-organizing skill appears useful, but it reaches broadly into home-directory contents, scheduled tasks, runtime configs, and later file-changing workflows in ways users should review first.

Install only if you are comfortable with a filesystem organizer reading broad local paths, parsing some file contents for references, and inspecting scheduled-task or runtime config files. Before running it, set a narrow directory scope, exclude secrets and private projects, and require explicit confirmation before any move, delete, or reference update.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (6)

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: Inspecting crontab expands the skill beyond filesystem cataloging into user task scheduling data, which can reveal sensitive operational details and commands unrelated to organizing files. Because the skill defaults to broad home-directory auditing and performs content/reference discovery, this creates unnecessary overcollection relative to the stated purpose.

Context-Inappropriate Capability

Medium

Confidence: 86% confidence
Finding: Reading PM2 configs and OpenClaw agent configs reaches into runtime/process-management metadata rather than simple filesystem structure. Those configs may contain environment details, command lines, service topology, or secrets-adjacent information, so this exceeds least-privilege for a file organization tool.

Intent-Code Divergence

Medium

Confidence: 84% confidence
Finding: The skill declares certain paths and files as always excluded, but later allows reference updates that may touch excluded zones under some circumstances. Even though it says to flag manual updates for excluded zones, the policy is inconsistent and can cause operators or implementations to violate the exclusion boundary, especially during automated batch edits.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: Broad triggers like 'clean up' or 'organize my filesystem' are likely to match ordinary conversation and activate a powerful whole-home scanning skill unintentionally. Accidental invocation is especially risky here because the skill performs extensive discovery, stores preferences, and can later execute file moves and deletions.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The description frames the skill as a filesystem audit, but the discovery phase includes reading file contents for references and inspecting crontab, PM2, and agent configs. This is a transparency failure: users may consent to metadata scanning without realizing operational/configuration content will also be parsed.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The slash-command section adds vague phrases like 'organize', 'catalog', or similar wording, increasing the chance of unintended activation from normal dialogue. Given the skill's breadth and eventual write phase, ambiguous invocation materially raises the risk of unauthorized or surprise filesystem enumeration.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal