OpenTable Reservations

Security checks across malware telemetry and agentic risk

Overview

The skill mostly does what it claims, but its troubleshooting instructions tell the agent to change a global browser SSRF allowlist and restart the OpenClaw gateway.

Review before installing. The reservation-link behavior is intentionally limited and does not submit bookings, but do not let the skill automatically run the troubleshooting command unless an administrator approves the allowlist change and gateway restart. Prefer configuring OpenTable browser access separately and explicitly.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The troubleshooting section instructs the agent to modify a global SSRF allowlist and restart the gateway, which changes system-wide security posture outside the narrow task of generating reservation links. Even though presented as a fix for OpenTable access, this is an operational side effect that can weaken protections for other skills and sessions and should not be embedded in a task skill.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill includes operational commands that alter system configuration and restart a gateway without an explicit user/admin confirmation boundary. Embedding privileged environment changes in troubleshooting text increases the risk that an agent performs infrastructure mutations during a normal user task, potentially affecting unrelated traffic and protections.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal