@esign-cn/openclaw-veriagent

Security checks across malware telemetry and agentic risk

Overview

This plugin appears to be a disclosed VeriAgent onboarding and certificate-signing wrapper with no artifact-backed malicious behavior.

Install this only if you intend to use VeriAgent for agent certificates and signing. Review the VeriAgent backend/portal you connect to, understand that certificate materials will be stored locally, and use the reset command if you need to clear the plugin's local state.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Natural-Language Policy Violations

Medium

Confidence: 96% confidence
Finding: This code presents user-facing errors, guidance, and command help in Chinese only, and the same pattern continues through other console output and the help section. That creates a natural-language locale policy issue because the skill forces a specific language without offering opt-in, fallback, or justification for a Chinese-only audience.

Natural-Language Policy Violations

Medium

Confidence: 92% confidence
Finding: This JavaScript file contains multiple user-facing natural-language strings in Chinese, beginning with the thrown error at L34 and continuing through tool descriptions and console messages. Because the skill does not offer any language selection or document a justified locale restriction, it appears to impose a specific language on users without opt-in, which matches the language/locale policy violation category.

VirusTotal

62/62 vendors flagged this plugin as clean.

View on VirusTotal