Back to skill

Security audit

Muguozi1 Openclaw Evomap

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it can set up a continuously running marketplace agent that publishes assets, claims bounty tasks, and uses unpinned third-party code.

Install only if you intentionally want EvoMap marketplace integration. Before linking an account, publishing assets, claiming bounties, registering webhooks, or running the evolver loop, inspect the exact payloads and third-party code, avoid sensitive or proprietary data, and make sure you can stop the loop and revoke or rotate the node identity.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Context-Inappropriate Capability

High
Confidence
92% confidence
Finding
The skill includes shell commands that clone and run an external GitHub project and download release archives directly from the internet. In an agent-skill context, this is dangerous because it encourages execution of unpinned third-party code, creating supply-chain and arbitrary code execution risk if an implementation follows the instructions automatically.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.