opclawtm CLI

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a setup guide, but it asks agents to perform broad local installs, handle secrets, and inspect logs without enough scoping or user-control safeguards.

Review this skill before installing. Use it only in a trusted local environment, do not paste real App Secrets or license keys into shared chat, approve any npm install or activation command yourself, and avoid letting the agent inspect gateway logs unless you understand exactly what identifiers may be shown.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (9)

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The document instructs the agent to execute a local shell command to read gateway logs and extract `ou_` user Open IDs, which goes beyond simple setup guidance into accessing locally stored data. This creates an unnecessary data-access path that may expose identifiers from logs without user review, consent, or minimization, and conditions the agent to inspect local files for operational data.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The document makes a broad safety assurance that deleting a team 'will not affect any previously created user content' without establishing evidence or scope for that claim. Misleading deletion guarantees can cause users to perform destructive actions under false assumptions, potentially resulting in accidental data loss or loss of configuration/state tied to the team.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The trigger list includes broad, common phrases such as '初始化', '配置问题', and '授权问题', which can overlap with ordinary support conversations and cause unintended skill activation. In an agent environment, accidental invocation can redirect the assistant into tool-specific workflows, reducing user control and increasing the chance of inappropriate guidance or actions.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The workflow tells users to copy and enter the Feishu App Secret without any warning about sensitive credential handling, storage, or masking. In an agent/TUI context, this increases the risk of secrets being exposed in terminal history, logs, screenshots, or mishandled prompts, which could enable unauthorized access to the Feishu app.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The instructions tell the agent to mine gateway logs for `ou_` identifiers and display them directly to the user, but provide no warning that logs may contain personal identifiers or other sensitive data. Even though an Open ID is not as sensitive as a secret, indiscriminate log inspection and disclosure can leak user metadata and normalize privacy-unsafe handling of log contents.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The document explicitly instructs an agent to run a global npm install and subsequent activation commands that can modify the host environment and initiate network communication, but it provides no requirement to obtain explicit user confirmation, disclose side effects, or warn about system-wide changes. In an agent setting, this creates a real safety risk because the agent may perform privileged, state-changing actions automatically on the user's machine.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill instructs the agent to display the authorization key back to the user without any sensitivity handling guidance. License keys are secrets or semi-secrets in many environments, and echoing them into chat, logs, transcripts, screenshots, or shared sessions can expose them to unauthorized parties and enable misuse or account abuse.

Vague Triggers

High

Confidence: 96% confidence
Finding: The trigger conditions include very broad natural-language phrases such as “我想要...” and “我需要一个...”, which are common in ordinary conversation. In an agent system, this can cause unintended activation of the skill on unrelated messages, leading to misrouting, noisy task creation, or unauthorized workflow execution if downstream automation trusts the trigger.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: 文档指示通过读取本地日志并提取 `ou_` 开头的用户 ID，然后“直接显示给用户”，但没有任何身份校验、最小披露或敏感信息提示。这会让代理在排障过程中主动暴露日志中的标识符，若由非授权请求者触发，可能导致隐私泄露、账户枚举或为后续社工提供素材。

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal