Back to skill

Security audit

mmxagent-guardian

Security checks across malware telemetry and agentic risk

Overview

This is a local file backup and rollback skill, with the main risk being unencrypted local copies of files the agent edits or deletes.

Install only if you are comfortable with the agent creating unencrypted local rollback data. Avoid using it on secrets such as .env, SSH keys, cloud credentials, Docker/Kubernetes configs, or OpenClaw private state unless you explicitly want local backups, and periodically review or clean ~/.openclaw/minivcs/.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill explicitly classifies highly sensitive paths and credential/config directories such as /etc, /root, ~/.ssh, ~/.gnupg, ~/.aws, and ~/.docker as 'important' and then retains copies/snapshots of their contents under ~/.openclaw/minivcs. In a file-protection tool, this expands scope beyond ordinary project files into secrets and system configuration, creating a secondary datastore of sensitive material that can be exposed, restored into unintended locations, or harvested if the agent account is compromised.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.