Runtime Doctor

Security checks across malware telemetry and agentic risk

Overview

Runtime Doctor mostly performs local diagnostics, but it also prepares a third-party support URL containing the machine hostname and diagnostic state without clear field-level consent.

Review before installing. Use it only if you are comfortable with a local report being written under your OpenClaw workspace and with degraded runs showing a third-party intake URL that includes your hostname and runtime status. Treat that URL and the report as sensitive; do not click or share it unless you intend to send those details to the support endpoint.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 87% confidence
Finding: The skill advertises diagnostic behavior yet the metadata declares no permissions while the content indicates capabilities to read environment/configuration, access files, write a report, use shell commands, and potentially reach the network. Undeclared capabilities weaken user consent and review controls because operators cannot accurately assess what the skill may access or modify before running it.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The skill is presented as a local, non-destructive runtime diagnostic, but it also includes a monetization and external intake flow to a remote Cloudflare-hosted endpoint. This mismatch is dangerous because users may provide trust, local system context, or operational details under the assumption of offline diagnosis, while the skill steers them into an external commercial workflow not clearly framed as a separate, optional action.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The skill is presented as a local, non-destructive diagnostic tool, but it constructs an external intake URL containing hostname, status, severity, failure class, and a diagnostic headline. Even if the code only prints the URL instead of directly sending it, embedding sensitive local metadata into a third-party endpoint without clear consent creates an unnecessary data disclosure channel and contradicts the stated behavior.

Missing User Warnings

Low

Confidence: 80% confidence
Finding: The skill says it writes a repair report but does not disclose the destination, filename, or scope of written content. Even if intended to be benign, undocumented file writes can overwrite files, leak sensitive diagnostic data into insecure locations, or surprise users who expected a read-only diagnostic tool.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The generated intake URL includes sensitive environment and diagnostic fields such as hostname and failure details, targeting an external Cloudflare tunnel endpoint. This creates a privacy and telemetry risk because the data is prepared for transmission without explicit user warning, and URL query parameters are especially prone to logging in terminals, browsers, proxies, and server access logs.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal