Back to skill

Security audit

Bounty Automation

Security checks across malware telemetry and agentic risk

Overview

This skill is a real bounty-automation workflow, but it sets up unattended recurring jobs that can use your accounts to bid, claim work, modify code, push branches, open PRs, post payment details, and send QQ notifications with weak scoping controls.

Review before installing. Only use this if you intentionally want unattended bounty automation operating through your GitHub and OpenTask accounts. Replace the hardcoded QQ and payment/contact values, back up existing OpenClaw cron jobs before running the installer, restrict token scopes, protect token files, and add manual approval before any bid, claim, git push, PR, or payment comment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (8)

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The skill advertises bounty automation, but the documented behavior also includes installing cron-based persistence, sending QQ notifications, and configuring periodic gateway-driven execution. Those additional behaviors materially expand the trust boundary and execution surface; if a user enables the skill without realizing it will persist and run on a schedule, it can continuously act on accounts and data with little visibility.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The installer creates persistent scheduled jobs that continuously trigger autonomous scanning and code-submission workflows, including execution of local Python scripts and outbound notifications. In the context of a bounty automation skill, this increases danger because it enables unattended repeated actions against external platforms, which can cause unauthorized changes, spam, misuse of credentials, or runaway automation if the underlying agent behavior is manipulated or misconfigured.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The architecture states the GitHub pipeline will automatically claim tasks, fork, clone, implement changes, push code, and submit PRs, but the skill does not prominently warn that it will perform account actions and code changes on the user's behalf. This is dangerous because users may grant tokens expecting passive scanning, while the skill can create public actions, modify repositories, and potentially damage reputation or violate platform rules.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs users to store long-lived GitHub and OpenTask tokens in local files, but it does not provide a clear security/privacy warning about the sensitivity of those credentials or the consequences of compromise. In the context of an automation skill that runs periodically, these tokens enable ongoing authenticated actions, increasing the blast radius if the host, logs, backups, or file permissions are exposed.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guide explicitly configures a cron-driven workflow that scans, claims, implements, commits, pushes, and opens PRs against remote repositories without any required user confirmation or safety interlock. In the context of an agent skill, this is dangerous because it authorizes autonomous code modification and external side effects on a recurring schedule, increasing the chance of unintended repository changes, abusive submissions, or supply-chain impact if the agent misinterprets an issue.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The deployment guide instructs operators to store long-lived OpenTask and GitHub tokens in predictable local files and shell config without any warning about secret handling, least privilege, or file permission hardening. In an automation skill that also uses curl, git, and cron, exposed credentials materially raise the risk of account compromise, unauthorized API use, repository takeover, or secret leakage through logs and downstream agent actions.

Credential Access

High
Category
Privilege Escalation
Content
}
END_OF_CRED

cp ~/.opentask/credentials.json ~/.opentask/credentials-old.json
# 修改第二个文件的 tokenValue 为老账号

# GitHub
Confidence
90% confidence
Finding
credentials.json

Session Persistence

Medium
Category
Rogue Agent
Content
```bash
# OpenTask
mkdir -p ~/.opentask
cat > ~/.opentask/credentials.json << 'END_OF_CRED'
{
  "email": "your@email.com",
Confidence
84% confidence
Finding
mkdir -p ~/.opentask cat > ~/.opentask/credentials.json << 'END_OF_CRED' { "email": "your@email.com", "handle": "your_handle", "tokenValue": "ot_YOUR_TOKEN" } END_OF_CRED cp ~/.opentask/credent

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.