Security audit

OpenClaw Coach

Security checks across malware telemetry and agentic risk

Overview

This skill mostly matches its coaching purpose, but it runs scheduled scripts that overwrite local Obsidian files and send messages to a fixed recipient without enough user-controlled scoping.

Review before installing. Confirm the message target is yours, change it to a user-controlled configuration if possible, back up the Obsidian folder, and only enable the schedule if you accept automatic file overwrites from GitHub and recurring outbound messages.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill declares shell-executed scripts and event-driven automation, but no permissions are declared to make that capability explicit or constrain its use. This creates a transparency and least-privilege problem: users and reviewers cannot easily assess that local commands and file-modifying operations may run automatically.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill is designed to automatically synchronize content into the user's Obsidian knowledge base on a schedule, which implies recurring local file creation or modification without any explicit warning, confirmation flow, or scope limitation. In context, this is more dangerous because it targets a personal knowledge base, where unintended overwrites, note pollution, or storage of untrusted content can affect user data integrity over time.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The script unconditionally sends a message to a hard-coded recipient identifier without runtime confirmation, recipient validation, or visible user consent. In a scheduled automation skill, this can cause unintended outbound communication, metadata leakage about user activity, and misuse if the recipient ID is wrong, stale, or attacker-controlled.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script sends a message to a hard-coded recipient ID automatically, without any runtime confirmation, recipient validation, or clear disclosure beyond internal comments. In a scheduled coaching skill, this can cause unintended disclosure of user-tailored content or spam-like behavior, and the fixed target makes misdelivery persistent if the ID is wrong or reused.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The script silently fetches remote content from GitHub and overwrites local Markdown files in the user's Obsidian vault without integrity checks, backup, diffing, or any confirmation step. In this skill's context, that is security-relevant because remote documentation can change unexpectedly or be tampered with upstream, causing untrusted content to be written into a trusted local knowledge base and potentially misleading the user or clobbering prior notes.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal