Back to skill

Security audit

Agent Builder

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only skill for creating OpenClaw agent workspace files, with disclosed memory, heartbeat, and autonomy options that users should review.

Safe to install for building OpenClaw agents. Before using generated files, review AGENTS.md, SOUL.md, MEMORY.md, and HEARTBEAT.md; keep memory free of secrets, leave heartbeats empty until needed, and choose conservative autonomy unless broad autonomy is intentional.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Low
Confidence
86% confidence
Finding
This markdown file includes a manifest-style description, so vague-trigger review applies. The phrase 'Use when you want to design a new agent' is fairly broad and does not define tighter activation boundaries or exclusion conditions, which could cause the skill to match ordinary brainstorming or planning requests that are not intended to invoke full workspace generation.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.