Awesome Skills

Security checks across malware telemetry and agentic risk

Overview

This is a small markdown-only skill for browsing community OpenClaw skills; its install-related wording deserves caution, but the artifact shows no hidden code or automatic environment changes.

Use this as a discovery aid. Before installing any skill it surfaces, inspect that separate skill's source, permissions, credentials, and install steps, and only proceed when you intentionally want to modify your local OpenClaw environment.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Low

Confidence: 89% confidence
Finding: The usage text is overly broad and does not define when the skill should be invoked or what boundaries apply. In an agent setting, vague activation criteria can cause the skill to be selected in unintended contexts, increasing the chance of unnecessary external fetching or follow-on actions such as installing third-party skills without clear user intent.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: Advertising 'one-click installation' without any warning or guardrails normalizes an environment-modifying action on content fetched from a community repository. Because this skill is designed to discover third-party skills, the context makes the risk more significant: users may be led from browsing to installing unreviewed code or configuration with insufficient notice or consent.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal