OpenClaw Security Scanner

Security checks across malware telemetry and agentic risk

Overview

This is a local, user-run security scanning skill with proportionate file-reading behavior and no evidence of hidden network access, persistence, or destructive actions.

Install only if you are comfortable running a local Python scanner over directories you choose. Treat secret-scan output as sensitive, especially in CI logs, and use a dedicated dependency auditing tool such as pip-audit or safety for real vulnerability checks.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill documentation instructs users to run Python scripts that scan files and invoke CLI-style operations, implying file-read and shell execution capabilities, but no permissions are declared. Undeclared capabilities weaken trust boundaries and can lead users or hosting platforms to grant broader access than is transparently documented, especially for a security-themed skill likely to be run against entire repositories.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal