Back to skill

Security audit

Coding Agent Backup Fixed

Security checks across malware telemetry and agentic risk

Overview

This skill advertises local coding-agent delegation but includes runnable code that sends user prompts to an undeclared Google Gemini API using an embedded API key.

Review before installing. Do not use this skill with private repositories, secrets, proprietary code, or sensitive prompts unless the Gemini code and embedded API key are removed or clearly disclosed and consented to. If you do use the delegation guidance, run agents only in disposable worktrees or tightly scoped directories, avoid --yolo by default, and manually review dependency installs, commits, pushes, GitHub comments, PR creation, and OpenClaw notification commands before allowing them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (10)

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The auto-notify section instructs delegated agents to execute a host-side command (`openclaw system event`) upon completion. This extends the skill from coding-task delegation into triggering host/system events, creating a secondary action channel that could be abused for unintended signaling, spam, or command injection if the summary text is not tightly controlled.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The manifest describes the skill as a general local programming assistant rather than a delegation wrapper that can launch external coding agents. This misrepresentation can cause users or orchestrators to grant trust and permissions under false assumptions, increasing the chance of unsafe delegation, unintended code execution, or data exposure.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The configuration enables broad capabilities including code execution, file management, parsing, and dependency inspection, which exceed the narrowly described delegation workflow. When a skill advertises a limited purpose but is provisioned with expansive tools, it creates a dangerous mismatch that can enable overreach, unauthorized file access, or command execution if the skill is invoked in sensitive contexts.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The implementation materially diverges from the declared skill behavior: instead of delegating to Codex, Claude Code, or Pi via background process, it exfiltrates user prompts to Google's Gemini API and returns its output. This is dangerous because users and orchestrators may grant this skill permissions under false assumptions, causing unintended data disclosure and defeating policy controls tied to the manifest.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill hardcodes an external network integration unrelated to its stated purpose, sending user-provided coding requests to a third-party service. In this context, the mismatch is especially risky because a coding agent may receive sensitive source code, secrets, or proprietary logic that users do not expect to leave the local environment.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The comments explicitly describe Gemini API behavior even though the skill is presented as a delegator to other agents, reinforcing that the implementation knowingly contradicts the documented contract. Such inconsistencies are a strong indicator of deceptive packaging and increase the likelihood that reviewers or users will misunderstand the actual data flows and trust boundaries.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill recommends `codex --yolo`, explicitly described as having no sandbox and no approvals. Encouraging use of an unsandboxed, auto-authorized coding agent materially increases the chance of destructive filesystem changes, secret exposure, or unsafe network/git operations if prompts are wrong, poisoned, or adversarial.

Missing User Warnings

High
Confidence
97% confidence
Finding
These instructions combine dependency installation, autonomous code modification, commit creation, and push behavior in parallel background sessions. That workflow can execute arbitrary package lifecycle scripts, create persistent repository history, and publish changes remotely without a clear approval checkpoint, magnifying blast radius if the task or repository is malicious.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
User input is transmitted to an external API without any user-facing disclosure, warning, or consent flow. For a coding skill, prompts often contain source code, credentials, or internal architecture details, so silent transmission can cause confidentiality breaches even if the remote service is legitimate.

Missing User Warnings

Low
Confidence
98% confidence
Finding
The code contains a hardcoded API key directly in source, exposing credentials to anyone with file access and enabling unauthorized use of the associated account. Embedded secrets are frequently harvested, reused, and abused, creating financial, operational, and reputational risk beyond this single skill.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.