Openclaw Coach

Security checks across malware telemetry and agentic risk

Overview

This skill performs the disclosed OpenClaw coaching workflow, but users should understand it writes to an Obsidian subfolder, sends OpenClaw/Feishu messages, and the tip-selection reply flow is not actually implemented.

Install only if you want scheduled automation that updates $HOME/Obsidian/Docs/OpenClaw and sends coaching messages through your configured OpenClaw/Feishu account. Verify FEISHU_USER_ID points to the intended recipient, keep the local tips folder trusted, and do not rely on replying with a number to control tomorrow's tip until the skill implements that handler.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill advertises scheduled automation and event-triggered shell scripts, but it declares no permissions despite requiring shell execution. Undeclared execution capability is dangerous because users and the platform cannot accurately evaluate what local actions the skill may perform, especially when it also modifies a local Obsidian knowledge base.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 96% confidence
Finding: This is a true security-relevant mismatch: the skill description omits outbound messaging behavior, network access to GitHub resources, and misrepresents how user choice is handled. Hidden external communication and undeclared network activity reduce informed consent and can enable silent data exfiltration, unexpected notifications, or trust abuse under the guise of a benign coaching skill.

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The script tells the user they can choose tomorrow's topic, but it immediately persists the first randomly selected option before any reply is collected. This creates a deceptive workflow where user agency is misrepresented, and downstream automation may act on a topic the user never selected.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The implemented behavior does not match the advertised capability: it sends three options but never implements any input-handling path for selection, instead silently fixing tomorrow's tip to a random entry. In an agent skill, this kind of mismatch is security-relevant because users may trust that their responses control behavior when they actually do not.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The skill is designed to automatically write synchronized content into the user's local Obsidian directory on a schedule, but the description does not clearly warn that local files will be modified. Automatic filesystem changes can overwrite notes, introduce unwanted content, or create persistence without the user's informed approval.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal