ClawHub
Back to skill

Security audit

Learning Loop - GEARS System

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says, but it can create self-extending scheduled agent jobs that keep running after the initial setup.

Install only if you explicitly want OpenClaw to run autonomous learning sessions on a schedule. Before starting a pipeline, review the topic, notification destination, timing, expected duration, and how to pause or remove pending learning-* cron jobs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The playbook instructs the agent to directly modify a persistent global cron configuration in the user's home directory, creating autonomous future execution without an explicit trust boundary or informed consent step. That is dangerous because it extends the skill's behavior beyond the current invocation and can be abused for persistence, repeated execution, or unintended task chaining.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Granting a topic-learning skill permission to read and overwrite a global scheduler file is over-privileged and not necessary for generating educational content. If misused, it can tamper with unrelated jobs, establish persistence, or disrupt other automations by corrupting or replacing shared configuration.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The playbook schedules additional future S1-S4 jobs by appending multiple entries to the global cron configuration, creating ongoing autonomous execution chains. In context, this materially increases risk because a benign learning workflow gains persistence and repeated re-entry into the system without per-run approval.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The trigger examples are broad enough to match many ordinary educational requests, which increases the chance the skill is invoked when the user only wanted a simple explanation rather than an autonomous long-running workflow. In this skill, that matters because activation can lead to unattended scheduling and persistent state changes, so overbroad routing meaningfully raises operational risk.

Vague Triggers

Low
Confidence
79% confidence
Finding
The usage section gives only positive trigger phrases and does not clearly state when the skill should not be used. Without negative examples or explicit constraints, an orchestrator or user may select this skill for routine teaching requests, causing unnecessary autonomous actions and recurring tasks.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README emphasizes that the system runs 'without supervision' but does not pair that with a clear warning that autonomous sessions may continue modifying files and learning state over time. For a skill that orchestrates repeated background actions, omission of this warning can mislead users about persistence and the scope of unattended changes.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README states that the agent schedules five autonomous daily sessions but does not explicitly warn that this involves creating and managing recurring cron jobs. That omission is risky because cron-based persistence can surprise users, continue consuming resources, and keep operating after the initiating conversation ends.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs the agent to modify persistent workspace files and append entries to the user's cron job configuration without an upfront safety gate beyond later confirmation. Because it writes automation into ~/.openclaw/cron/jobs.json and creates autonomous follow-up tasks, an over-eager or misrouted invocation could establish persistent agent behavior in the user's environment.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The methodology explicitly instructs the agent to create cron jobs in S4 and again in S5, which is a persistent system modification. Because there is no requirement for explicit user consent, no warning that scheduled tasks will be installed, and no constraints on where or how this occurs, the skill can alter the host environment beyond the current session in a way users may not expect.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The instructions modify persistent scheduler state without clearly warning the user that a global cron file will be changed. Lack of transparency is dangerous because users may unknowingly authorize durable background behavior and be unable to distinguish legitimate scheduled runs from unwanted persistence.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The schema explicitly supports sending notifications through an external channel such as Telegram and storing a recipient identifier in `notifications.to`, but it provides no warning about privacy implications, consent requirements, or safe handling of recipient data. In an autonomous cron-based skill, this increases the risk of unintended disclosure or transmission of personal contact data and surprise outbound messaging if the field is populated without clear user awareness.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal