Destructive delete command
Warn
- Finding
- Documentation contains a destructive delete command without an explicit confirmation gate.
skill9
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill matches a cloud backup purpose, but it needs review because it can automatically push or delete skill backups and appears to use persistent hooks or agent rules.
Install only if you want skill files backed up to skill9's cloud. Before setup, verify the CLI source, review GitHub OAuth scopes, decide whether automatic backup is acceptable, and inspect/remove any AGENTS.md or hook entries if you do not want persistent syncing.
Static analysis
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
#
ASI02: Tool Misuse and Exploitation
Medium
What this means
Skill contents or delete events could be sent to the cloud immediately after local changes, including accidental or sensitive changes.
Why it was flagged
This directs the agent to automatically run cloud push/delete commands after every skill operation, without requiring a fresh user confirmation for each cloud mutation.
Skill content
After performing ANY of the following actions on skills, you MUST immediately run the corresponding command ... Deleted a skill | `skill9 push --delete <skill-name> --json` ... Do not batch
Recommendation
Require explicit user opt-in for auto-backup, confirm deletes separately, and allow users to restrict which skills are synced.
#
ASI10: Rogue Agents
Medium
What this means
Backup behavior may persist across agent sessions or platforms and continue triggering cloud pushes after the initial setup.
Why it was flagged
The uninstall guide indicates persistent agent rules/hooks may be installed, but the setup guide does not clearly disclose their creation or require separate consent for them.
Skill content
OpenClaw AGENTS.md rule | "Skill Backup Rule (skill9)" section ... Claude Code hook | `skill9 push` entry in `~/.claude/settings.json` hooks.Stop ... Cursor hook | `skill9 push` entry in `~/.cursor/hooks.json` hooks.stop
Recommendation
Disclose hook/rule installation during setup, make it opt-in, and show users exactly how to inspect or remove each persistent entry.
#
ASI04: Agentic Supply Chain Vulnerabilities
Low
What this means
Installing the CLI gives external code local execution ability and access to the skill files it later syncs.
Why it was flagged
The skill relies on an external, globally installed package whose code is not included in the reviewed artifacts.
Skill content
npm install -g skill9
Recommendation
Verify the npm package publisher, pin or review the version where possible, and install only from a trusted source.
#
ASI03: Identity and Privilege Abuse
Low
What this means
The user may authorize account access without seeing the exact privileges or token handling in these artifacts.
Why it was flagged
The skill requires a GitHub-based login for cloud sync, but the registry metadata declares no primary credential and the requested OAuth scope is not described.
Skill content
skill9 login --github
Recommendation
Review the GitHub authorization scopes before approving and revoke the token if you stop using the service.
#
ASI06: Memory and Context Poisoning
Medium
What this means
Old or sensitive skill instructions may remain in the cloud and be restorable later unless separately deleted.
Why it was flagged
Backed-up skill versions persist in the cloud even after local uninstall, which is expected for a vault but important for privacy and retention.
Skill content
Cloud data (backed-up skill versions) is NOT deleted.
Recommendation
Avoid syncing sensitive skills unless needed, and delete cloud copies separately if you want the data removed.