ClawHub
Back to skill

Security audit

Dynamic Tool

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it should be reviewed because it can steer an agent toward shell, file, and Feishu tools with loose scoping.

Install only if you intentionally want this skill to influence agent tool selection. Review or edit it so `exec` is only recommended for explicit weather or shell tasks, add stricter checks before `write` or Feishu management tools are suggested, and avoid the optional OpenClaw bundle patch unless you have audited the exact change and can roll it back.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill’s manifest advertises narrow intent-based routing for weather, documents, and search, but the implementation recommends many additional capabilities and always includes exec. In a tool-selection component, over-recommending privileged tools expands the agent’s reachable attack surface and can cause unrelated user messages to gain shell or workspace capabilities they did not require.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Recommending write-capable and broad Feishu management tools from simple keyword matches can steer the agent toward destructive or high-privilege actions without strong user confirmation. Because this skill is supposed to select relevant tools, unjustified inclusion of write, drive, chat, wiki, or bitable capabilities increases the chance of unauthorized modification, data exposure, or privilege misuse.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The documentation says the skill maps keywords to relevant tools, but the code always recommends exec regardless of user intent. This mismatch is dangerous because operators may trust the description and deploy the skill assuming constrained behavior, while in practice every message gets shell access recommended, materially increasing execution risk.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The activation guidance is broad enough that the skill may trigger on common topics like weather, search, or documents without clear guardrails. Over-broad activation can steer the agent into unnecessary tool-selection flows and increase the chance of invoking sensitive tools in contexts where they are not needed.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The 'When to use' section uses ambiguous phrases like 'before calling many tools' and topic-based triggers that lack strict boundaries. This can cause unintended activation and may bias the agent toward specific tools, including exec, even when a safer or no-tool response would be more appropriate.

Unrestricted Tool Access

Medium
Category
Excessive Agency
Content
- 文档 / create doc / 飞书文档 → use **feishu_doc** only when the user explicitly asks for a document
- 读文件 / read file → **read**; 写/编辑 → **write**

**Tool:** `get_recommended_tools({ user_message })` → returns `recommended_tools` (array of tool names) and `hint` (short instruction).
Confidence
84% confidence
Finding
Tool:*

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.