EDI MSP Toolkit
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: msp-toolkit Version: 1.0.0 The `SKILL.md` file contains a 'Setup' instruction `clawhub publish /home/cc/.openclaw/workspace/skills/msp-toolkit`. This command instructs the AI agent to publish the skill itself. This is a form of prompt injection, as it directs the agent to perform an action (self-publication) that typically requires explicit user consent and could bypass review processes, representing an unauthorized attempt at distribution or self-propagation.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If followed, the agent could publish or modify a ClawHub skill under the user's account instead of performing the expected MSP checks.
The default setup path tells the user or agent to install a CLI and publish a local skill directory. Publishing is a high-impact registry/account action and is not necessary for the stated MSP audit and health-check purpose.
## Setup npm install clawhub clawhub publish /home/cc/.openclaw/workspace/skills/msp-toolkit
Do not run the publish command as part of setup. The maintainer should remove it or replace it with normal, user-confirmed usage instructions for the MSP tools.
The skill may not actually provide the advertised tools, and any missing helpers would need separate review before use.
The skill references helper scripts and commands, but the supplied manifest contains only SKILL.md and no code files. That makes the advertised implementation unavailable for review in this artifact set.
- msp-dashboard.py: Daily Azure/M365 status. - healthcheck: Firewall/SSH/update audits. - nuc-reset.sh: NPU reboot script.
Ask for a complete package containing the referenced scripts, with clear provenance and install instructions, before relying on the skill.