Install Shared Skill

Security checks across malware telemetry and agentic risk

Overview

This skill installs other OpenClaw skills, but its documented install scope is inconsistent and its tool code can run unintended shell commands from a crafted skill name.

Review carefully before installing. Only use this with trusted, simple skill names, and prefer a fixed version that uses argument-array execution, validates skill slugs, clearly states whether it installs globally or into the workspace, and asks for confirmation before changing installed skills.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (10)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 96% confidence
Finding: The skill claims to perform a shared/system-wide installation, but the documented command uses `--workdir ./`, which indicates workspace-scoped installation. This mismatch can mislead users and agents about the scope of changes, causing incorrect trust decisions, failed security assumptions, and accidental installation into the wrong location.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The manifest explicitly advertises global/system-level shared installation while the documented behavior installs into the current working directory. Security-sensitive tooling depends on accurate scope declarations; when those are false, users may authorize the skill under incorrect assumptions and downstream automation may apply the wrong safeguards.

Intent-Code Divergence

High

Confidence: 95% confidence
Finding: The title and tool descriptions present this as a shared/global installer, but the actual command is workdir-scoped. This deceptive or careless framing increases operational risk because an operator may believe they are modifying shared agent state when they are only affecting the current workspace, or may incorrectly approve its use based on that claimed scope.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The implementation contradicts the skill's stated purpose by installing into the current workspace via `--workdir ./` and `cwd: OPENCLAW_WORKSPACE || process.cwd()`, not a shared/system location. This can mislead users and other agents about where code is being installed, causing unintended code execution or persistence in the active workspace and weakening trust boundaries between local and shared scope.

Intent-Code Divergence

Medium

Confidence: 91% confidence
Finding: The inline comments explicitly describe a workspace-scoped install and execution path even though the skill metadata promises shared/system installation. This inconsistency is dangerous because reviewers and users may rely on the manifest description while the code performs a different action, enabling deceptive or accidental misuse of installation scope.

Description-Behavior Mismatch

High

Confidence: 95% confidence
Finding: The skill metadata and comments claim this installs skills at a shared/system scope, but the actual command uses `--workdir ./` and executes in the current workspace. This mismatch is dangerous because agents or operators may grant it elevated trust or use it assuming global installation semantics, while it instead modifies the active workspace and can introduce unexpected or hidden changes there.

Intent-Code Divergence

High

Confidence: 91% confidence
Finding: The inline documentation and header explicitly describe one behavior, while the code performs another. In security-sensitive agent tooling, deceptive or inaccurate documentation is itself risky because reviewers and downstream agents may rely on the stated behavior and miss the fact that the tool changes the local workspace instead of a shared location.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The tool runs an external package-management CLI and returns raw output, yet the documentation does not clearly warn that this causes persistent changes and introduces third-party content into the environment. Installing external skills can alter agent behavior and trust boundaries, so lack of warning increases the chance of unsafe invocation.

Missing User Warnings

Medium

Confidence: 99% confidence
Finding: The tool executes a package-install command built from untrusted input using `exec(...)` with no confirmation, warning, or input validation. In this context, the danger is elevated because the skill is specifically designed to fetch and install external code, so a crafted skill name can trigger shell injection or silent installation of unreviewed packages into the agent's environment.

Missing User Warnings

Medium

Confidence: 99% confidence
Finding: The code interpolates a user-controlled `skillName` directly into a shell command passed to `exec`, which invokes a shell. An attacker can supply shell metacharacters to execute arbitrary commands in the workspace context, leading to command execution, file modification, or data exfiltration; this is more dangerous here because the tool is explicitly designed to fetch/install remote content and may be used with high trust.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal