Back to skill

Security audit

maxclaw-doctor

Security checks across malware telemetry and agentic risk

Overview

This local file-protection skill is not clearly malicious, but it can copy, delete, restore, and retain sensitive files outside a project with incomplete warnings and scoping.

Install only if you are comfortable with a skill that stores local copies of files it records or deletes. Keep use limited to intended project files, avoid secrets or personal documents unless explicitly needed, review/protect ~/.openclaw/minivcs/, and treat cleanup/remove or restore commands as potentially irreversible or overwriting operations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill clearly instructs the agent to read, modify, delete, restore, and clean up files, but it declares no permissions or capability boundaries. That mismatch is dangerous because it hides the real power of the skill from the hosting system and reviewers, increasing the chance that file-destructive behavior executes without appropriate sandboxing or user consent enforcement.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The documentation gives conflicting statements about binary-file protection: earlier it says binary files are backed up as .bak, while this section tells users binary files 'will not be recorded.' In a file-protection skill, that inconsistency can mislead users into believing destructive operations are recoverable when they may not be handled as expected, causing data loss and unsafe operator decisions.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The restore logic trusts the recorded filePath and, if it is absolute, writes directly to that absolute location instead of constraining restores to the declared project root. Because records can contain absolute paths from earlier operations or a tampered log, this enables restoration or overwrite of arbitrary filesystem locations, which exceeds the skill's stated project file-protection purpose and can affect sensitive system or user files.

Context-Inappropriate Capability

Medium
Confidence
81% confidence
Finding
The skill marks files under home directories, system locations, and configuration-like names as 'important' and extends their retention period, which signals intended handling of sensitive files beyond normal project artifacts. In a file-protection skill, this broadens the operational scope to potentially sensitive personal or system configuration data and increases exposure if backups, diffs, or logs are accessed by another process or user.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The cleanup section includes permanent deletion commands for historical records and physical backup artifacts, but it does not require the same strong pre-deletion warning and confirmation flow mandated earlier for modify/delete operations. Because the backups are the recovery mechanism, deleting them without explicit user acknowledgment can silently destroy rollback and restore capability, turning later mistakes into permanent data loss.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Restore and rollback operations perform filesystem writes and moves that can overwrite existing content without an execution-time confirmation or safety interlock. In an agent context, that creates a material risk of unintended data loss or restoration to the wrong location, especially when combined with permissive path handling and log-driven targets.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.