Back to skill

Security audit

Daily Greeting

Security checks across malware telemetry and agentic risk

Overview

This skill matches its daily-greeting purpose, but it needs review because it can automatically send context-derived messages to every bound channel on a recurring schedule.

Install only if you want agents to send unattended greetings into bound messaging channels. Review the channel bindings, disable status summaries or history-based inference if the channels may contain sensitive work, and check BOOT.md/cron entries before enabling or uninstalling.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (21)

Tp4

High
Category
MCP Tool Poisoning
Confidence
87% confidence
Finding
The skill’s top-level description emphasizes personality and greetings, but the documented behavior includes system-modifying actions such as BOOT.md edits, cron management, persistent state tracking, and self-deletion. Those behaviors may be legitimate for installation and cleanup, but they materially expand the trust boundary and should be disclosed prominently because they affect host configuration and persistence.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The README instructs users to wire the skill into BOOT.md and a recurring cron job, causing autonomous execution and modification of local startup/scheduling configuration beyond a simple 'greeting' action. This is not necessarily malicious, but it increases persistence and operational impact, especially since the skill can send outbound messages automatically and uninstall behavior includes removing the skill directory.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The configured trigger message exceeds a simple greeting by directing agents to infer the user's preferred language from channel history and include role-based status summaries from ongoing tasks. This expands the skill into automated context mining and unsolicited disclosure, creating privacy and least-privilege risks because the agent may surface sensitive task information into a bound channel without explicit user consent each time it runs.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Instructing agents to analyze channel history and user context is not necessary for a daily greeting and materially broadens data access beyond the feature's stated purpose. In an automated cron-like workflow, this can normalize background review of prior conversations and increase the chance that personal or sensitive context is unnecessarily processed and echoed back into messages.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The guide instructs users to wire the skill into BOOT.md and scheduled cron execution, giving a simple greeting feature persistent automatic execution at startup and on a timer. That broadens its reach beyond an on-demand greeting command and creates an unnecessary trust boundary expansion: any future change to the referenced script will inherit privileged, recurring execution without fresh user review.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The uninstall section states the skill will delete its own skill directory in addition to removing persistence hooks. Self-removal is a destructive capability not inherently required for a greeting feature and can erase evidence, complicate review, or remove files unexpectedly if path handling is unsafe in the underlying script.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The uninstall routine performs actions well beyond a greeting skill's core purpose: it edits BOOT.md, removes a cron job, and recursively deletes the skill directory. Even if intended as cleanup, these are destructive side effects that can remove user data or configuration without strong validation, making accidental damage possible.

Intent-Code Divergence

Medium
Confidence
85% confidence
Finding
The header comment claims the script only finds agents and sends trigger signals, but the file also modifies persistence and filesystem state by installing/removing cron jobs, editing BOOT.md, resetting state, and deleting directories. This mismatch hides the true privilege and side-effect surface, increasing the chance that reviewers or users will authorize the skill without understanding its capabilities.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill is described as automatically sending personalized messages to bound channels and modifying local configuration/state, but the README does not prominently warn users about autonomous outbound communications and persistent local changes. In a messaging-integrated agent environment, this can lead to unexpected disclosures, spam, or policy violations if users enable it without understanding its behavior.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill is designed to automatically send messages to all bound channels on startup or on a schedule, which creates unsolicited outbound communication without clear opt-in safeguards or runtime confirmation. In multi-channel or production environments, this can spam users, leak operational status, or send messages to channels the operator did not intend to target.

Natural-Language Policy Violations

Medium
Confidence
80% confidence
Finding
Inferring and enforcing the user's preferred language from channel history and user context relies on implicit profiling without documented consent or override controls. This can mis-handle sensitive user context, produce incorrect language selection, and increase privacy risk by mining prior conversations for personalization.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The automated greeting behavior is triggered by a broad instruction to send to the bound channel, but the config does not clearly constrain when, for whom, or under what safety checks this should occur. Underspecified automation scope is dangerous because it can cause messages to be sent in unintended channels or contexts, increasing the likelihood of privacy leaks, spammy behavior, or disclosure of role/task information to the wrong audience.

Natural-Language Policy Violations

Medium
Confidence
93% confidence
Finding
Choosing language by inference from channel history rather than explicit user selection introduces unnecessary profiling and can misinterpret user preferences or expose that the system is monitoring prior conversations for behavioral cues. In the context of an automated daily greeting skill, this is especially risky because the inference happens routinely and without an interactive confirmation step.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README tells users to fetch and execute remote installation guidance and run shell commands that clone, copy, chmod, and install a skill without any warning about persistence or system modification. This is dangerous because it conditions users to perform trust-on-first-use installation from a remote source, which can lead to unintended code execution or persistent environment changes if the source is compromised or the skill is unsafe.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation enables both BOOT.md and cron-based auto-execution by default, creating persistent recurring execution with no explicit safety warning or consent emphasis. In the context of an agent skill that sends messages and can invoke scripts automatically, persistence materially increases risk by causing repeated unattended actions, expanding the blast radius of any misbehavior or compromise.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The installation guide does not prominently warn users at the start that setup enables startup automation, scheduled execution, and local configuration edits. That lack of informed consent is security-relevant because users may install a seemingly harmless greeting skill without realizing it gains persistence and modifies agent boot behavior.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The uninstall instructions describe removing cron jobs and deleting the skill directory without a clear warning that these actions are destructive. Even if intended, users should be told up front that uninstall alters persistence configuration and may permanently remove local files so they can verify scope and back up anything needed.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The uninstall command removes the entire skill directory with rm -rf and no confirmation prompt or dry-run mode. If invoked unexpectedly or with an altered SKILL_DIR, this can irreversibly delete files and makes operator error more damaging.

Ssd 3

Medium
Confidence
95% confidence
Finding
The trigger message explicitly tells agents to infer the user's preferred language from channel history and user context and include status information based on ongoing tasks. That encourages harvesting prior conversational and work-context data for outbound messages, which can expose sensitive information into channels without a narrowly scoped consent boundary.

Ssd 3

Medium
Confidence
95% confidence
Finding
The trigger message explicitly tells agents to infer from channel history and user context and include role/task status details in greetings sent to bound channels. That creates a real confidentiality risk because the agent may disclose sensitive project state, personal context, or task information into channels where such summaries were not explicitly requested or may have broader visibility.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
---
name: daily-greeting
description: Give your OpenClaw agents personality! Automatically sends personalized daily greetings to all bound channels. Each agent greets users in their preferred language with relevant status updates. Supports BOOT.md and OpenClaw cron triggers.
---

# Daily Greeting Skill
Confidence
88% confidence
Finding
Automatically send

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.