Back to skill

Security audit

Insight Engine

Security checks across malware telemetry and agentic risk

Overview

This skill mostly does what it says, but it can send sensitive local memory and repository context to Anthropic and Notion more broadly than its security notes imply.

Install only if you are comfortable with operational summaries, Git metadata, and daily OpenClaw memory text being processed by Anthropic and written to your Notion workspace. Review or disable memory and Git collection before running on private projects, prefer HTTPS for any remote Langfuse URL, and use --data-only or --dry-run first to inspect what would be sent.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises and instructs use of sensitive capabilities including environment variables with API keys, outbound network access, shell execution, and local file/config access, but the file does not declare an explicit permissions model despite those capabilities being present. That mismatch is dangerous because an agent or reviewer may underestimate the skill's access scope, especially since it can read secrets, call external APIs, and write reports to third-party services.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code reads a local memory file and includes up to 6000 characters of its contents in the LLM analysis packet sent onward for model processing. The skill description mentions logs, metrics, Langfuse traces, and gateway logs, but not arbitrary local memory files, so this expands data access scope and can expose sensitive notes, prompts, secrets, or personal data to external services.

Missing User Warnings

Low
Confidence
72% confidence
Finding
This collector reads commit history, author names, commit bodies, and changed file names from any repositories listed in GIT_REPOS, and defaults to the current directory with no user-facing disclosure or consent flow. In an agent skill that aggregates operational data into LLM and Notion reports, this increases the chance of silently exfiltrating sensitive source metadata, secrets accidentally committed to messages, or developer-identifying information into downstream systems.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The collector defaults to an HTTP base URL and immediately uses Basic Auth credentials for API requests, which can expose the Langfuse public/secret key pair over an unencrypted channel. In operational insight pipelines, these credentials may grant access to traces, observations, and scores that can contain sensitive prompts, outputs, metadata, or user data, so network interception or misconfiguration could lead to credential theft and data exposure.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The collector reads per-day markdown files from a user memory directory under the home folder and returns their full contents without any consent gate, minimization, or clear disclosure that these files may contain sensitive notes, prompts, or context. In this skill, the collected data is intended to flow into later analysis/reporting stages, so silently ingesting memory content increases the risk of privacy leakage into downstream LLM processing or external reporting systems such as Notion.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The function sends operational data to Anthropic, and elsewhere the workflow also sends data to local HTTP services such as Ollama and control-plane endpoints, without any explicit consent gate, warning, or privacy notice. Because the packet can include logs, Langfuse summaries, git activity, and memory context, users may unknowingly exfiltrate sensitive operational data outside the local trust boundary.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
This code transmits reflection content, model metadata, and operational notes to a third-party SaaS platform without any visible consent, minimization, or classification gate in the write path. In an insight pipeline handling logs and traces, that can result in accidental disclosure of sensitive operational data, prompts, or user-derived content to Notion.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.