Back to skill

Security audit

Governed Agents

Security checks across malware telemetry and agentic risk

Overview

The skill broadly matches its governance purpose, but it should be reviewed because some high-impact verification, credential, network, and persistence behavior is under-scoped or weaker than advertised.

Install only if you are comfortable with a skill that can spawn local agent CLIs, run configured verification commands, make outbound URL checks, and store task metadata locally. Treat HTTP mode and self-reporting as review-sensitive: avoid using workspace .env tokens unless intended, keep endpoints local or trusted, and do not rely on the direct spawn path as proof that all advertised verification gates ran.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (15)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if health != "200":
        pytest.skip(f"Command Center not reachable (HTTP {health})")
    token = _resolve_token()
    r = subprocess.run([
        "curl", "-s", "-o", "/dev/null", "-w", "%{http_code}",
        "-X", "POST", f"{CC_URL}/api/governed/spawn",
        "-H", f"Authorization: Bearer {token}",
Confidence
84% confidence
Finding
r = subprocess.run([ "curl", "-s", "-o", "/dev/null", "-w", "%{http_code}", "-X", "POST", f"{CC_URL}/api/governed/spawn", "-H", f"Authorization: Bearer {token}", "-

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"""Gate 4: Run tests and check they pass."""
    result = VerificationResult()
    try:
        proc = subprocess.run(
            shlex.split(test_command), shell=False, cwd=cwd,
            capture_output=True, text=True, timeout=timeout
        )
Confidence
89% confidence
Finding
proc = subprocess.run( shlex.split(test_command), shell=False, cwd=cwd, capture_output=True, text=True, timeout=timeout )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"""Gate 5: Run linter and check for errors."""
    result = VerificationResult()
    try:
        proc = subprocess.run(
            shlex.split(lint_command), shell=False, cwd=cwd,
            capture_output=True, text=True, timeout=timeout
        )
Confidence
89% confidence
Finding
proc = subprocess.run( shlex.split(lint_command), shell=False, cwd=cwd, capture_output=True, text=True, timeout=timeout )

Tainted flow: 'cmd' from os.environ.get (line 229, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
env = _build_subprocess_env("openclaw", {})
            cwd = str(WORKSPACE)

        run_result = subprocess.run(
            cmd,
            capture_output=True,
            text=True,
Confidence
80% confidence
Finding
run_result = subprocess.run( cmd, capture_output=True, text=True, timeout=timeout + 30, cwd=cwd, env=env, )

Tainted flow: 'CC_URL' from os.environ.get (line 15, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
if health != "200":
        pytest.skip(f"Command Center not reachable (HTTP {health})")
    token = _resolve_token()
    r = subprocess.run([
        "curl", "-s", "-o", "/dev/null", "-w", "%{http_code}",
        "-X", "POST", f"{CC_URL}/api/governed/spawn",
        "-H", f"Authorization: Bearer {token}",
Confidence
88% confidence
Finding
r = subprocess.run([ "curl", "-s", "-o", "/dev/null", "-w", "%{http_code}", "-X", "POST", f"{CC_URL}/api/governed/spawn", "-H", f"Authorization: Bearer {token}", "-

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The grounding gate treats `GOVERNED_NO_NETWORK=1` as a successful URL verification result, which allows all external-source reachability checks to be bypassed without any compensating control in this function. In a system whose purpose is to verify agent outputs and prevent hallucinated success, this can let unverified or fabricated citations pass as grounded evidence, weakening the trust boundary for non-coding task validation.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The module advertises semi-deterministic grounding checks as part of a verification pipeline, but the implementation can silently skip URL validation and still report success. This mismatch is dangerous because downstream components or operators may rely on the gate's PASS result as evidence that sources were actually checked, creating a false assurance condition that undermines the security model of the governed-agent system.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The wrapper claims deterministic verification and imports run_full_verification, but in practice only checks whether required files exist before assigning success/reputation outcomes. In a governance/security tool, this mismatch is dangerous because users may rely on verification guarantees that are not actually enforced, allowing hallucinated or untested outputs to be scored as valid.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The HTTP helper accesses bearer tokens from environment variables and then falls back to reading a local .env file in the workspace. This expands the skill's trust boundary into credential discovery and makes secret use implicit, which is especially risky in an agent skill whose stated purpose is verification and scoring rather than credential management.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
Adding remote HTTP spawning changes the data-flow and trust model from local verification to networked task submission, including transmission of objectives and possibly credentials. In a governance-focused skill, this undeclared remote capability increases exfiltration and misuse risk because users may not expect their task content to leave the local environment.

Context-Inappropriate Capability

High
Confidence
90% confidence
Finding
The orchestrator embeds instructions telling a sub-agent to execute a local Python command on the host. Even though some arguments are shell-quoted, this crosses a trust boundary by delegating command execution to an LLM-driven agent, which can lead to unauthorized local actions, reputation DB tampering, or abuse of the execution environment if the agent follows or mutates the command unsafely. In this skill context, that is more dangerous because the whole system is designed to spawn and govern sub-agents, so normalizing host-side command execution materially increases risk.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README explicitly documents a `url_reachable` grounding check that performs outbound HTTP requests (`HEAD`, timeout 3s, max 5), but it does not clearly warn users that enabling this verification mode causes the skill to contact arbitrary URLs extracted from model output. In an agent setting, this can create SSRF-like behavior, unexpected egress to internal or sensitive endpoints, privacy leakage, and policy/compliance issues because untrusted output may control the request targets.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The function sends task content and an optional bearer token to an HTTP endpoint without any user-facing disclosure or consent mechanism. In agent ecosystems, silent network transmission is security-relevant because it can leak sensitive prompts, file names, objectives, or credentials to a service the user did not intend to contact.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code silently reads authentication tokens from environment variables and then from a local .env file. Hidden credential access is dangerous because it can surprise operators, broaden secret exposure, and enable unauthorized outbound authentication if the skill is used in a context with reusable tokens present.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The code persists task metadata including `task_id`, `agent_id`, `objective`, `status`, `details`, and verification outcomes into a SQLite database by default, with no evidence in this file of user notice, consent, minimization, or retention controls. Because `objective` and `details` can contain sensitive prompts, business data, or user-provided content, this creates a privacy and data-governance risk if operators or downstream components assume ephemeral processing.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.