OpenClaw TDD Assistant

Security checks across malware telemetry and agentic risk

Overview

This is a normal test-development helper, with minor implementation and documentation caveats but no evidence of hidden, destructive, or data-stealing behavior.

Use this skill on projects you trust, because running tests can execute that project's code. Avoid relying on the advertised cycle, mutant, Jest, or Go support without verifying it, and be aware that temporary test reports use predictable /tmp filenames on shared machines.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 84% confidence
Finding: Writing the coverage JSON report to a fixed world-shared path under /tmp creates a predictable filename that can be clobbered, read by other local users, or redirected via symlink attacks on multi-user systems. Because the tool later reads that same path, an attacker on the same host could tamper with the report contents or influence what file is accessed.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal