Back to skill

Security audit

Openclaw

Security checks across malware telemetry and agentic risk

Overview

This research skill is mostly coherent, but it can delete or move broad workspace files and sends research content to external AI CLIs by default without a clear privacy gate.

Install only if you are comfortable with this skill spawning sub-agents, running shell commands, creating report folders, and sending research findings to external AI CLI tools under your local accounts. Use a dedicated empty workspace, choose archive instead of delete during cleanup, and set RESEARCH_CROSS_MODEL=none or restrict RESEARCH_CLI_TOOLS when researching confidential, regulated, client, or internal topics.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to enumerate and then archive or delete directories and root-level state files in the current working directory before starting research. Even with a prompt for user choice, this cleanup reaches beyond the new report's own workspace and can destroy unrelated project data, creating unnecessary integrity and availability risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill includes `rm -rf` cleanup behavior for discovered directories and state files, but the warning language emphasizes workflow interference rather than the risk of irreversible deletion. In an automated agent context, destructive commands without strong, explicit deletion safeguards can cause accidental loss of unrelated user or project files.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill routes research findings to external CLIs such as codex, gemini, and claude for cross-validation, but it does not require a user-facing privacy notice or consent before transmitting potentially sensitive material. That can lead to unintentional disclosure of proprietary topics, internal notes, or regulated data to third-party model providers.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The protocol explicitly instructs piping research contents to external CLI-backed models without any privacy gating, data classification, user consent, or minimization guidance. In an industry-research skill, findings and source summaries can include confidential business context, internal plans, or sensitive client information, so sending them to third-party model providers creates a real data-exposure risk.

Ssd 3

Medium
Confidence
97% confidence
Finding
The instructions require writing core findings, key data points, and a long-form conclusion to a temporary file and then forwarding that material verbatim to external CLIs. That creates a straightforward exfiltration path for sensitive natural-language content, especially because research workflows often aggregate proprietary analysis, unpublished metrics, and customer/internal context.

Ssd 3

Medium
Confidence
90% confidence
Finding
The protocol directs the agent to insert external CLI responses directly into the final report, which can propagate sensitive details echoed back by the third-party model and amplify earlier disclosure. This increases downstream exposure because the returned content may now be shared more broadly with users, logs, or stored artifacts.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.