Context Nexus

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly upfront that it is an advanced installer, but it automatically fetches external code and makes persistent OpenClaw changes without enough safeguards.

Review the external Context Nexus GitHub runtime before running this skill. Use a disposable or non-production OpenClaw profile first, back up ~/.openclaw/openclaw.json, prefer --skip-restart or --skip-openclaw until you are ready, and avoid opening or sharing generated intake URLs unless you are comfortable exposing the deployment status fields they contain.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (9)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 95% confidence
Finding: The skill advertises shell-based installation and verification behavior that includes file reads/writes and network access, yet it declares no permissions. This weakens informed consent and any permission-gating the platform may rely on, making it easier for users to trigger configuration changes, remote fetches, and external communications without clear disclosure.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 98% confidence
Finding: The described purpose frames the skill as a verifier, but the content indicates materially more powerful behavior: fetching remote code, running install steps, modifying OpenClaw configuration, installing a plugin, restarting a gateway, and routing failures to external commercial intake endpoints. That mismatch is dangerous because users may consent to a check-only diagnostic while actually authorizing persistent system changes and external data flow.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The script is presented as a verifier, but it clones a remote repository, runs its installer, rewrites the user's OpenClaw configuration, installs a plugin, restarts the gateway, and executes a smoke test. That mismatch is dangerous because a user expecting read-only verification may unknowingly grant broad code execution and persistent system changes, which is especially risky in an agent skill context where shell scripts may be run with trust.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The script contains a built-in paid upsell flow that constructs an intake URL and prints a Done-For-You offer when failures occur, including a remote cloud-hosted endpoint. While not direct code execution by itself, embedding external intake routing into an installation verifier creates unnecessary data egress and social-engineering pressure at exactly the point where operators are dealing with errors and may be less cautious.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The README instructs users to patch `~/.openclaw/openclaw.json`, install a plugin, and restart the gateway, which are system-affecting actions that can break an agent environment or introduce unsafe code paths if performed blindly. Although the document elsewhere hints at an advanced/manual setup, the fast-path instructions do not clearly foreground the operational risk at the point of action, making unsafe execution more likely.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The README states that failure telemetry is placed into an intake-link query string and routed to a private external service, but it does not provide a clear privacy notice, data-minimization guarantee, or warning that URLs may be logged by browsers, proxies, shells, and web servers. In this skill context, deployment failures could expose sensitive environment details, config state, hostnames, or operational metadata, making query-string transmission an unsafe default.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill text mentions wiring config, installing a plugin, restarting the gateway, and running a smoke test, but does not present an explicit warning in the user-facing description that these actions alter system state and may interrupt service. In context, this is more dangerous because the skill is positioned as an installation helper and includes a one-line fast path that encourages immediate execution.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The script silently creates or modifies the user's OpenClaw config, adds plugin load paths, and enables a plugin without a clear interactive warning or confirmation. This creates persistence and changes future application behavior, so in the context of an agent integration skill it is more dangerous than a normal setup script because it alters trusted execution paths in a hidden way.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script installs a plugin into OpenClaw and restarts the gateway without a strong safety warning, despite these actions changing runtime behavior and loading code from the cloned repository. In this skill context, plugin installation and service restart are highly sensitive because they can immediately activate unreviewed code and disrupt an existing agent environment.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal