Back to skill

Security audit

CyberLens Security Scanner

Security checks across malware telemetry and agentic risk

Overview

CyberLens is a coherent security-scanning skill, with expected network scanning, cloud account, local credential, and report-export behavior disclosed well enough for installation with caution.

Install only if you are comfortable with a scanner contacting websites or repositories you ask it to scan and, when connected, sending targets to CyberLens cloud services. Protect or rotate the stored API key on shared machines, use local scanning for sensitive sites where possible, review generated PDFs before sharing, and expect a browser page to open for account connection or quota upgrades.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill declares no permissions while its documented behavior clearly includes network access, local file reads/writes, environment-variable use, and shell-based execution via python3 commands. This is dangerous because it hides the real privilege surface from users and reviewers, reducing informed consent and making risky actions like credential storage and remote scanning less transparent.

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The description frames the skill as a scanner, but the documented behavior extends into browser launching, local callback hosting, API-key storage, package downloading/extraction, filesystem report export, and opening pricing pages. That mismatch is risky because users may invoke the skill expecting passive analysis while it performs broader system and network actions that increase attack surface and privacy impact.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
Quota-handling logic triggers open_upgrade_page() as a side effect during scan/scoring flows, causing the host to open a browser without explicit user confirmation. In an agent/tooling context, that is unsafe because a remote service response or normal quota condition can induce unexpected local UI actions, enabling nuisance behavior, workflow disruption, and potential abuse if upgrade URLs are ever misconfigured or influenced externally.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The manifest explicitly supports cloud scanning with an API key and remote endpoint, but it does not provide a clear warning that scan targets or related metadata may be transmitted off-device. This can mislead users into submitting internal URLs, repositories, or skill content to an external service without informed consent, creating privacy and data handling risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The scanner performs a network request to an arbitrary user-supplied URL without any visible allowlist, private-address filtering, or explicit warning/disclosure in this code path. In a security-scanning skill, this creates a real SSRF-style capability that could be abused to probe internal services, cloud metadata endpoints, localhost, or other sensitive network targets reachable from the runtime environment.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The code extracts an untrusted ZIP archive using ZipFile.extractall() without validating member paths. This can allow a malicious archive to perform path traversal (zip-slip), writing files outside the temporary extraction directory and potentially overwriting arbitrary local files accessible to the process.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Automatically opening an upgrade page on quota exhaustion without prior confirmation is an unsafe side effect for a scanning tool. In agent environments, a simple scan request can unexpectedly launch browser windows, which can be abused for spammy UX, social engineering, or forcing user attention toward monetization flows.

Session Persistence

Medium
Category
Rogue Agent
Content
## First-Time Setup

Website quick scans and Claw Hub skill package scans work without an account. Connect a CyberLens account when the user wants the full cloud website scan or any repository scan. Run the `connect_account` tool. This opens a browser to cyberlensai.com where they sign in or create an account. A short-lived connect code is delivered through the callback, the skill exchanges that code for the real account key over HTTPS on official CyberLens hosts, and the key is stored at `~/.openclaw/skills/cyberlens/config.yaml`.

Browser authentication uses `https://cyberlensai.com/connect`. The hosted scan API runs at `https://api.cyberlensai.com/functions/v1/public-api-scan`. If the user needs to override the scan API endpoint explicitly, set `CYBERLENS_API_BASE_URL`.
Confidence
85% confidence
Finding
create an account. A short-lived connect code is delivered through the callback, the skill exchanges that code for the real account key over HTTPS on official CyberLens hosts, and the key is stored at

Known Vulnerable Dependency: black — 3 advisory(ies): CVE-2026-32274 (Black: Arbitrary file writes from unsanitized user input in cache file name); CVE-2024-21503 (Black vulnerable to Regular Expression Denial of Service (ReDoS)); CVE-2024-21503 (Versions of the package black before 24.3.0 are vulnerable to Regular Expression)

High
Category
Supply Chain
Confidence
95% confidence
Finding
black

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dynamic_code_execution

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
src/skill_scanner.py:30