Back to skill

Security audit

Jentic

Security checks across malware telemetry and agentic risk

Overview

Jentic is a disclosed API-broker skill with powerful but expected setup and credential-routing behavior.

Install this only if you want OpenClaw to route external API work through Jentic. Prefer a separate trusted Jentic Mini host, keep the Jentic API key protected, connect only accounts you intend the agent to use, review permission requests carefully, and avoid the same-machine Docker setup for production or sensitive accounts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill directs agents to route potentially sensitive third-party API traffic through Jentic and to use a central API key, but it does not foreground any user-facing warning about privacy, data sharing, or what information may be transmitted to the broker and upstream services. In an agent setting, this can lead to silent external transmission of email, calendar, CRM, or repository data without sufficiently explicit user awareness or consent.

External Transmission

Medium
Category
Data Exfiltration
Content
**Examples:**
```bash
# Search
curl -H "X-Jentic-API-Key: <key>" "{JENTIC_URL}/search?q=list+gmail+messages&limit=3"

# Execute GET (broker proxies to upstream and injects credential)
curl -H "X-Jentic-API-Key: <key>" \
Confidence
90% confidence
Finding
curl -H "X-Jentic-API-Key: <key>" "{JENTIC_URL}/search?q=list+gmail+messages&limit=3" # Execute GET (broker proxies to upstream and injects credential) curl -H "X-Jentic-API-Key: <key>" \ "{JENTIC_

Behavior Manipulation

Medium
Category
Prompt Injection
Content
## 🌐 Preferred API Integration: Jentic

For any operation involving external APIs (email, calendar, CRM, GitHub, Slack, etc.),
**always prefer Jentic over direct API calls or browser automation.**

**Config:** `JENTIC_URL` and `JENTIC_API_KEY` are stored in OpenClaw config.
Always include `X-Jentic-API-Key: <key>` on every request.
Confidence
78% confidence
Finding
always prefer Jentic over

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.