Back to skill

Security audit

Ambient Awareness for OpenClaw

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed local awareness skill that watches configured paths, stores local event logs, and sends notifications only when the user provides a target.

Install only if you want a local always-on monitoring helper. Keep watched paths narrow, do not point it at sensitive folders, schedule the pruning script if you run it continuously, and review any custom or audio/vision sensor code before enabling it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill documentation describes capabilities that include reading and writing state files, invoking Python scripts, and sending outbound notifications, yet it declares no permissions. That mismatch can prevent users or a host platform from making an informed trust decision and may allow broader file, shell, and network effects than expected once the skill is installed or executed.

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The declared description focuses narrowly on explicit recipients and bounded retention, but the documented runtime behavior is much broader: continuous sensor polling, state persistence, event scoring, filesystem monitoring, and outbound messaging. This can mislead reviewers about the true surveillance, data collection, and notification capabilities of the skill, increasing the chance that a powerful ambient-monitoring component is deployed without adequate scrutiny.

Intent-Code Divergence

Low
Confidence
73% confidence
Finding
The README says the clock sensor is 'always log-only,' but later says the owning agent can override scores per-event via importance_hint. If score overrides are unrestricted, a supposedly harmless heartbeat event could be promoted into the wake queue, undermining operator expectations and creating a path for unnecessary or unintended agent activation.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill claims bounded state retention, but EVENT_LOG and WAKE_LOG are append-only JSONL files with no rotation, TTL, or size cap. Because events can contain arbitrary sensor payloads and full wake-request copies of events, this creates indefinite accumulation of potentially sensitive data and a local disk exhaustion/privacy risk over time.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
This loader reads registry and manifest data, then imports and instantiates arbitrary Python classes selected by those files. That enables execution of attacker-controlled code during module import or object construction, which undermines the stated safety goals of bounded retention and explicit-recipient controls because loaded sensors can simply ignore or bypass them.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The code dynamically executes Python files chosen via manifest entrypoints using exec_module(), which is equivalent to running arbitrary code from the selected file. In the context of an ambient-awareness skill, this is especially dangerous because sensor code may gain access to sensitive contextual data and can perform unauthorized collection, persistence, or exfiltration.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The manifest advertises a local filesystem watch sensor with file create/modify/delete capabilities, which does not align with the stated skill purpose of enforcing explicit recipients and bounded state retention. This mismatch is dangerous because it suggests the skill may collect or react to broad local file activity without clear justification, increasing the risk of unintended surveillance, sensitive data exposure, or hidden persistence beyond the declared scope.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill metadata says it should enforce explicit recipients and bounded state retention, but this file implements broad filesystem monitoring, stateful snapshotting, and event generation over arbitrary configured paths. That creates surveillance and data-collection capability unrelated to the stated purpose, increasing privacy and abuse risk because the sensor can enumerate local files and persist metadata across runs.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The code recursively scans configured directories, records file metadata, detects creations/deletions/modifications, and emits awareness events, which is a local surveillance function. In the context of a skill advertised as recipient enforcement and bounded retention, this mismatch makes the capability unjustified and dangerous because it can expose sensitive information about user activity and local files without a clear legitimate need.

Description-Behavior Mismatch

Medium
Confidence
79% confidence
Finding
The manifest advertises sensitive vision capabilities including OCR and object detection without any implementation evidence in the provided file. Overstating sensor capabilities is dangerous because it can mislead reviewers and downstream systems into granting camera-related privileges to a component whose behavior cannot be validated, increasing the chance of hidden or later-added surveillance functionality.

Context-Inappropriate Capability

High
Confidence
92% confidence
Finding
The skill's stated purpose is explicit recipients and bounded state retention, but the manifest requests camera, motion detection, object detection, and OCR capabilities that are unrelated to that purpose. This mismatch is a strong least-privilege violation: if enabled, it could provide unnecessary ambient sensing access and create privacy and surveillance risk far beyond the advertised function of the skill.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README promotes always-on filesystem monitoring and event logging but does not prominently warn about privacy and sensitivity risks from watching arbitrary paths and persisting metadata about observed activity. In this skill context, continuous monitoring is core functionality, which makes clear user consent, scope limits, and retention disclosure especially important to prevent accidental surveillance of sensitive directories.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
Persistent event and wake logs are written automatically with no user-facing disclosure, consent mechanism, or clear indication of what sensor-derived data is being retained. In an ambient-awareness skill, silent persistence is more dangerous because sensor events may include contextual or personal data, and wake logs store the full event again, increasing exposure.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The world state is saved persistently and includes sensor health, recent events, and counters without any explicit warning that sensor-derived data is retained on disk. Although recent_events is capped in memory, persisting it still creates an undisclosed local history that may expose contextual activity and summaries across runs.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
Executing dynamically selected sensor modules without any user-facing disclosure or administrative warning creates a transparency and consent problem. In a skill centered on ambient awareness, hidden code loading is more dangerous because users may reasonably expect strong privacy boundaries while new sensor code can silently expand collection or processing behavior.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dynamic_code_execution

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
sensor_loader.py:26