OpenClaw Agency Agents

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do its stated job, but it can persistently replace core agent instruction files with content pulled from an unpinned third-party repository.

Install only if you trust the external agency-agents-zh repository and are comfortable letting this skill change persistent OpenClaw identity and instruction files. Review the selected agent markdown before activation when possible, keep the generated backups, and be aware that updates can change future activated personas.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (3)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 93% confidence
Finding: The skill documentation materially understates its behavior: it claims agent listing/search/activation and automatic initial clone, but also describes overwriting workspace identity/config files, backing up and restoring prior state, and updating a remote repository. That mismatch is security-relevant because users and orchestrators may grant the skill more trust or invoke it in situations where file modification and remote update side effects are not expected, increasing the chance of unintended workspace tampering or supply-chain exposure.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The script performs persistent writes to workspace-level files (SOUL.md, IDENTITY.md, AGENTS.md) and creates backups, which is more than a read-only 'activate' action and changes the agent's operating context. Because the content written is sourced from a cloned repository and injected into top-level configuration files without trust verification or explicit user confirmation, this can alter behavior and persist untrusted instructions across sessions.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script restores backup copies of SOUL.md, IDENTITY.md, and AGENTS.md directly into the workspace using cp, with no confirmation prompt, dry-run mode, or explicit warning that existing files will be overwritten. In this skill’s context, those files likely control agent identity and behavior, so an accidental or unexpected restore can silently revert user customizations or operational state and cause integrity loss.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal