openclaw-skill-shorturl

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward URL-shortening skill, but users should avoid sending private or token-bearing links to the external service.

Install only if you are comfortable with submitted URLs being sent to shorturl.bot. Do not use it for password reset links, signed URLs, private internal links, or links containing API keys, session tokens, or sensitive query parameters.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill explicitly instructs users to send arbitrary URLs to an external shortening service API but does not warn that submitted URLs may be logged, associated with metadata, or disclosed to a third party. The included response example even shows fields like ownerId and submitterIp, which increases concern that user-submitted data and related metadata may be retained or exposed without informed consent.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script sends the user-provided long URL, and potentially additional metadata, to a third-party service at shorturl.bot without any explicit warning, consent prompt, or privacy notice. This can expose sensitive URLs, embedded tokens, internal endpoints, or private query parameters to an external operator, which is a real data-leak risk in a utility that may be used on arbitrary input.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal