ClawSergeant

Security checks across malware telemetry and agentic risk

Overview

ClawSergeant is a coherent OpenClaw training skill, but it sends training content to external LLM/agent services and persists training memory with limited runtime control.

Install only for a controlled OpenClaw training setup. Confirm the target CLAW_RECIPIENT, avoid confidential prompts or agent outputs, use a limited API key, inspect or disable lesson logging and MEMORY.md writes if persistent memory is not intended, and obtain/review the missing learning_logger.py before running.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (9)

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The skill writes training-derived summaries into an OpenClaw workspace MEMORY.md, which crosses from transient evaluation into persistent modification of another workspace. In an agent-training context, this can create prompt/policy poisoning, leak sensitive training details, or silently influence future agent behavior beyond the approved session scope.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The activation text is overly broad and can trigger on generic requests about training, improving, or evaluating nearly any AI agent. This increases the chance the skill is auto-selected in contexts the user did not intend, causing unnecessary access to external services, shell tooling, or persistent logs.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill states that training interactions, evaluations, errors, and summaries are persisted to local lesson logs and to MEMORY.md, but it does not provide an explicit retention warning or consent mechanism. Because training dialogs may contain sensitive prompts, model outputs, identifiers, or operational details, silent persistence can create privacy, compliance, and cross-session data exposure risks.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The code forwards task descriptions, agent outputs, evaluator feedback, and stage context to external LLM services via `self._llm.chat(...)` and `self._llm.chat_json(...)` without any visible consent, warning, redaction, or data-classification checks. In a training skill, these exchanges can contain sensitive prompts, proprietary agent behavior, secrets accidentally emitted by the agent, or user-derived content, creating a real data exposure risk even if the feature is functionally intended.

Context Leakage

High

Category: Data Exfiltration
Content: async def chat( self, conversation: Conversation, temperature: float = 0.7 ) -> str: """Send the conversation to the LLM and return the assistant reply.""" if not self._client: raise RuntimeError("LLMHandler not started; call start() first")
Confidence: 77% confidence
Finding: Send the conversation

Context Leakage

High

Category: Data Exfiltration
Content: async def chat_json( self, conversation: Conversation, temperature: float = 0.3 ) -> dict: """Send the conversation and parse the reply as JSON. Uses the response_format API parameter to enforce valid JSON output. """
Confidence: 77% confidence
Finding: Send the conversation

Unpinned Dependencies

Low

Category: Supply Chain
Content: httpx>=0.27 loguru>=0.7 python-dotenv>=1.0
Confidence: 95% confidence
Finding: httpx>=0.27

Unpinned Dependencies

Low

Category: Supply Chain
Content: httpx>=0.27 loguru>=0.7 python-dotenv>=1.0
Confidence: 95% confidence
Finding: loguru>=0.7

Unpinned Dependencies

Low

Category: Supply Chain
Content: httpx>=0.27 loguru>=0.7 python-dotenv>=1.0
Confidence: 95% confidence
Finding: python-dotenv>=1.0

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal