Elasticsearch Openclaw

Security checks across malware telemetry and agentic risk

Overview

This documentation-only Elasticsearch skill is marketed as read-only, but several included examples can create credentials, modify indexes, configure inference, or change cluster behavior.

Review before installing if you need strict read-only behavior. Use a narrowly scoped Elasticsearch API key limited to read and view-index-metadata on specific indices, and do not follow the setup, indexing, pipeline, inference-endpoint, API-key-creation, or cluster-setting examples unless you intentionally want to modify the cluster.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (11)

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The skill repeatedly claims it is read-only, but it includes a concrete `POST /_security/api_key` example that performs a security-administration action and creates new credentials. This mismatch can mislead an agent or user into treating the skill as safer than it is, and could enable unauthorized privilege expansion if followed with sufficiently privileged credentials.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The file states that no write operations are included or executed, yet later provides an actionable admin API request that creates an API key. Even as documentation, this contradiction weakens trust boundaries and can cause unsafe automation or operator decisions based on an inaccurate safety claim.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The file is explicitly presented as a read-only reference, yet it includes administrative and mutating guidance such as resetting cluster settings, creating indices, reindexing, changing replica settings, and disabling refresh intervals during indexing. In an AI-orchestrated setting, this mismatch can cause an agent or user to execute privileged write/admin actions under the false assumption that the skill is safe and read-only.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: Cluster administration and indexing guidance is outside the stated purpose of a read-only search reference and expands the operational scope from safe querying into privileged system modification. This increases the chance that an AI agent with available credentials will perform unsafe administrative actions, potentially altering cluster availability, durability, or data lifecycle.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The skill metadata explicitly promises read-only Elasticsearch guidance, but this section includes `PUT my-index` and `POST my-index/_doc`, which create and modify cluster data. In an AI-orchestrated setting, this mismatch can cause an agent or user to perform write operations under the false assumption that the skill is constrained to safe read-only behavior.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: This section documents `PUT _inference/...` to create an inference endpoint, which is an administrative write/configuration action and directly contradicts the skill's stated read-only scope. Because the skill is presented as safe for read-only operations, this can mislead automation into provisioning external integrations and changing cluster configuration unexpectedly.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The documentation frames `semantic_text` as the recommended approach while embedding non-read-only index creation and document ingestion examples in the main guidance path. That makes the contradiction more dangerous because users and agents are steered toward actions that violate the advertised security boundary as part of the default workflow.

Description-Behavior Mismatch

High

Confidence: 95% confidence
Finding: The skill is explicitly described as read-only, but this section includes a `PUT my-index` mapping creation example, which is a write/admin operation. In an AI-orchestrated setting, documentation that contradicts the declared safety boundary can cause an agent to attempt privileged cluster changes, undermining least-privilege assumptions and creating a path to unintended data or schema modification.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: This example shows `POST my-index/_doc?pipeline=...`, which indexes a document and is directly incompatible with the skill's claim that no write/update/delete operations are included. If an agent trusts the manifest and follows the example, it may perform unauthorized writes or request broader API key permissions than intended.

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The auto-embedding ingest workflow introduces pipeline creation and ingestion guidance inside a skill whose security context promises read-only search and analytics. Even if presented as setup guidance, this broadens the operational scope from querying to data mutation, increasing the chance that an agent or user oversteps intended privileges.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The example shows an API key field populated with a realistic credential format (`jina_xxxxxx`) without an explicit warning not to hardcode or commit real secrets. In practice, users or downstream agents may copy this pattern into source files, prompts, or logs, increasing the risk of credential leakage and unsafe secret handling.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal