Back to skill

Security audit

Edicts — Ground Truth for AI Agents

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed local facts tool for adding trusted information to agent prompts; the main risk is persistent prompt influence if users enable runtime writes.

Install this only if you want a local persistent facts layer that can shape agent prompts. Keep edicts curated and trusted, verify the package/version you install, and leave write tools disabled or restricted to read-only tool names unless you deliberately want agents to add, update, or remove future prompt context.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The skill markets itself as a 'ground-truth' and largely read/search-oriented plugin, while the documented tool surface includes mutation capabilities such as add, update, and remove, and the finding indicates additional import/export and automatic state-changing behaviors. In an agent setting, this mismatch is dangerous because operators may trust the plugin as passive context infrastructure, but it can alter local files or agent memory state, enabling unauthorized persistence, data tampering, or exfiltration to arbitrary local paths if write-capable features are enabled or insufficiently constrained.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The get() method is semantically a read, but it mutates persistent state by updating lastAccessed and may immediately autosave. In an agent/tooling context that promises read/search access, hidden writes can violate least-privilege assumptions, trigger unexpected file modifications, and let a caller with only apparent read access influence review/staleness logic or audit-related metadata.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The render() method performs a bulk hidden mutation by marking every edict as accessed and persisting the change. This is especially risky in this skill context because rendering appears read-only, yet it can rewrite the backing store, suppress stale-item detection, and create unexpected state changes from simple prompt assembly or inspection workflows.

Unrestricted Tool Access

Medium
Category
Excessive Agency
Content
**Runtime tools are opt-in and configurable.** The OpenClaw plugin exposes tools that let agents add, update, and remove edicts at runtime. This is powerful (agents can establish persistent ground truth) but also a privileged capability. You can:

- **Disable write tools entirely:** set `tools.enabled: false` in plugin config
- **Whitelist specific tools:** use `tools.names` to allow only read operations (`edicts_list`, `edicts_search`, `edicts_stats`)
- **Disable auto-save:** set `autoSave: false` so runtime changes don't persist across sessions
- **Disable context injection:** set `includeSystemContext: false` to use tools without prompt injection
- **Audit edicts regularly:** use `edicts review` (CLI or tool) to catch stale or suspicious entries
Confidence
94% confidence
Finding
tools:*

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.prompt_injection_instructions

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
README.md:47