Skill Scout

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only helper for finding and managing OpenClaw skills, with disclosed commands and no hidden code.

Before installing or updating skills through this helper, inspect each recommended skill, review its permissions and source, and approve install, update, sync, or uninstall commands explicitly, especially bulk updates.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The activation triggers are broad enough to match generic user requests like 'find me a skill', 'add a tool for...', or 'I want to automate...', which can cause the skill to activate outside a narrowly scoped discovery context. In practice, this increases the chance the agent will steer users toward searching for and installing third-party skills when they may have been asking for general advice, expanding exposure to untrusted community content and unnecessary install flows.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal