Back to skill

Security audit

Strategy Consultant Package

Security checks across malware telemetry and agentic risk

Overview

This strategy-consulting skill is purpose-aligned, but users should treat Brave searches and API-key configuration as normal privacy-sensitive integration steps.

Install if you want a strategy-consulting workflow that can use Brave-backed web research. Use environment variables or the OpenClaw configuration flow for the Brave key when possible, avoid putting secrets or unreleased company/client strategy into search queries, and invoke the skill explicitly if you have other business or finance skills installed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill advertises Brave search for real-time intelligence but does not disclose that user prompts or query terms may be transmitted to an external provider. In a strategy consulting context, queries may contain confidential business plans, target companies, experts, or market hypotheses, so lack of disclosure can lead to unintended data exposure and privacy/compliance issues.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The guide explicitly instructs users to place the Brave API key in a plaintext YAML config file under the home directory, but does not warn that this creates a credential-at-rest exposure. If the workstation, backups, dotfile sync, or local file permissions are compromised, the key can be recovered and abused for unauthorized API usage and quota consumption.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The manifest exposes very broad, generic command triggers such as 'market', 'business', 'finance', and 'bp' without any namespace or scope restriction. In an agent ecosystem, these terms can cause accidental or overly eager invocation in unrelated contexts, increasing the chance that the skill intercepts user intent, influences outputs unexpectedly, or is used when more specific tooling should apply.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.