Identity Persistence Layer

Security checks across malware telemetry and agentic risk

Overview

This skill is purpose-aligned, but it sends sensitive local identity and memory files to Gemini using a local Google token without clear disclosure or consent controls.

Review before installing. Use this only if you are comfortable sending the contents of the listed OpenClaw workspace identity and memory files to Google Gemini under the local Google API token. Do not run it on workspaces containing secrets, credentials, private personal data, or confidential agent memory unless the skill adds explicit consent, file preview/selection, redaction, and a truly offline score-only mode.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (4)

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The code reads a locally stored Google API token from an auth profile and uses it to send synthesized prompt content built from multiple local workspace files to the Gemini API. This creates an explicit secret-handling and data-egress path from sensitive local identity/memory documents to an external service without access scoping, consent checks, or minimization, which is dangerous even if the feature is intentional.

Intent-Code Divergence

Medium

Confidence: 88% confidence
Finding: The usage text claims '--score-only' only computes continuity against the last snapshot, but the implementation still reads source files, loads the API key, and performs a fresh Gemini call before scoring. This mismatch can mislead operators into believing the mode is offline or non-egress when it still transmits local data externally, increasing the risk of unintended disclosure.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly requires a Gemini API key for identity extraction and states it processes agent memory files such as MEMORY.md and SOUL.md, but it does not warn users that potentially sensitive memory contents will be transmitted to an external third-party API. This creates a real privacy and data-governance risk because users may unknowingly send confidential prompts, personal data, credentials, or internal agent state outside the local environment.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill concatenates contents from several local markdown files, including identity, memory, and user-related documents, into a prompt and sends them to an external LLM service without any explicit warning or confirmation. In this context those files are likely highly sensitive, so silent exfiltration to a third-party API materially increases confidentiality and privacy risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal