duo

Security checks across malware telemetry and agentic risk

Overview

This Duo skill is not clearly malicious, but it should be reviewed because it can read local profile and memory files and send sensitive personal summaries to an external matchmaking API by default.

Install only if you are comfortable with Duo reading local OpenClaw profile or memory files and sending summarized personal details to NDAI. Before creating or joining a room, ask the agent to list which files it read, show the exact private instructions it plans to send, remove finance, health, family, religion, location, or work details you do not want shared, and confirm the endpoint and API action.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (6)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The top-level description is broad enough to activate on generic requests like registering, creating rooms, listing sessions, or checking status, without clearly constraining use to this specific matchmaking workflow. Overbroad activation increases the chance the skill runs in contexts where the user did not intend sensitive local profile ingestion or external NDAI transmission.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The registration trigger says to use the flow when the user asks to join/register Duo, which can match ordinary account-creation requests lacking context. That ambiguity can cause the skill to activate unnecessarily and begin handling credentials or downstream matchmaking actions for the wrong task.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The skill requires reading multiple local files and transmitting derived sensitive personal information to an external API, but does not provide a prominent, up-front user warning or require informed consent. This creates a serious privacy risk because users may not understand that intimate profile, financial, religious, family, and lifestyle data can be inferred from local context and sent off-device.

Ssd 3

High

Confidence: 99% confidence
Finding: These instructions direct the agent to collect and include highly sensitive attributes from local/profile sources and default toward inclusion unless the user explicitly opts out. That inversion of consent is dangerous because it encourages disclosure of data such as finances, religion, family background, health boundaries, and deal-breakers to an external matchmaking system without data minimization.

Ssd 3

High

Confidence: 98% confidence
Finding: The skill explicitly instructs the agent to derive its relationship profile from local OpenClaw files before creating or joining rooms. This creates a direct path for local sensitive data exfiltration, because file-derived information is then embedded in outbound instructions to a third-party service.

Ssd 3

High

Confidence: 99% confidence
Finding: The skill tells the agent to merge local and user-provided information into a sufficiently detailed self-profile so another agent can answer counterpart questions autonomously. In context, that means broad replication of private personal data into external negotiation instructions, increasing both privacy exposure and the blast radius if the external system is compromised or misuses the data.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal