Back to skill

Security audit

Muguozi1 Openclaw Proactivity

Security checks across malware telemetry and agentic risk

Overview

This skill is a local proactivity and memory aid that discloses its local storage and shows no hidden network, destructive, or credential-handling behavior.

Install only if you want the agent to keep local operating notes across sessions. Review ~/proactivity periodically, avoid putting secrets or highly sensitive details in those files, and require approval before any workspace integration snippets are written.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Low
Confidence
90% confidence
Finding
The skill explicitly instructs creation of files and directories under the user's home directory (`~/proactivity/...`) without any warning, consent gate, or explanation that local filesystem state will be modified. While the paths and filenames appear benign and aligned with the skill's purpose, silent persistence on disk can surprise users, create unwanted data retention, and normalize unauthorized file writes by the agent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs the agent to create a persistent local directory and multiple state files under ~/proactivity, then set permissions, without requiring a clear user-facing disclosure that local storage will be created and populated. This creates a privacy and consent risk because the skill is designed to retain behavioral preferences, task state, and recovery data across sessions, which may surprise users and expand the amount of sensitive local data stored.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.