Skillsmith

Security checks across malware telemetry and agentic risk

Overview

This is a local OpenClaw skill scaffolding CLI whose main risk is a force-overwrite option that can delete the chosen target folder.

Install if you want a local skill scaffolding tool. Choose `--out` carefully, avoid `--force` unless you intend to replace that exact generated directory, and review the optional generated GitHub Actions workflow before using it in a real repository.

SkillSpector

By NVIDIA

Vulnerability Patterns

Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The CLI deletes the entire target directory with fs.rmSync(projectRoot, { recursive: true, force: true }) whenever --force is provided, without a last-chance confirmation or stronger safety checks. If the output path or skill name is mistyped, or if automation passes an unexpected --out value, this can cause irreversible local data loss beyond the intended scaffold overwrite.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal