Security audit

Agent Self Reflection 1.0.0

Security checks across malware telemetry and agentic risk

Overview

This skill is transparent about self-reflection, but it can read recent conversations and make lasting memory or instruction changes without a review step.

Install only if you are comfortable with recent OpenClaw conversations being reviewed and summarized into persistent workspace or memory files. Prefer manual or dry-run operation first, review proposed edits before they are written, and avoid unattended cron use in workspaces where transcripts may contain credentials, personal data, or sensitive business information.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 87% confidence
Finding: The skill invokes shell commands and reads transcript files but does not declare the permissions those capabilities require. This creates an authorization and review gap: operators may approve or run the skill without realizing it can enumerate sessions and access local transcript data.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill directs the agent to inspect recent session transcripts, which may contain sensitive user content, tool outputs, secrets, or private operational context, without any consent, minimization, or redaction requirements. Because it is designed to run on a cron schedule, this access can happen automatically and repeatedly, increasing privacy risk and the chance of unauthorized data exposure.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill instructs the agent to write derived insights into persistent memory and workspace files across several locations without a user-facing notice, approval gate, or integrity controls. This can silently store sensitive inferences, contaminate future agent context, and create long-lived privacy and prompt-injection persistence risks if harmful or incorrect content is written into memory files.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The script prints condensed session transcript content directly to stdout, including user and assistant messages and tool error text. Because session transcripts can contain secrets, personal data, or sensitive operational context, emitting them in plain text can leak data to logs, terminals, cron mail, or any downstream process that captures stdout.

Ssd 3

Medium

Confidence: 96% confidence
Finding: This script is explicitly designed to read recent session files and echo user/assistant exchanges, which creates a direct confidentiality risk if those sessions contain credentials, tokens, personal information, or proprietary prompts. In the skill context, this is more dangerous because it is meant to run periodically as a cron job, increasing the chance of repeated unattended disclosure through logs, cron email, or shared workspace artifacts.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal