Back to skill

Security audit

Media Orchestrator

Security checks across malware telemetry and agentic risk

Overview

This skill does what it advertises: it downloads requested media, stores it in the OpenClaw workspace, and sends it through configured chat channels, with cleanup and confirmation caveats.

Install only if you are comfortable with the agent fetching third-party media, writing files and Spotify metadata into the OpenClaw workspace, and sending resulting files through configured WhatsApp or Telegram accounts. Confirm the recipient and requested media before use, and clean the workspace periodically because the skill does not show automatic deletion or retention limits.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill describes network access, shell-backed tooling, and direct file download behavior, but it does not declare permissions or boundaries for those capabilities. In an agent environment, undeclared network and shell behavior increases the risk of silent remote fetches, arbitrary command execution paths through helper tools, and misuse of the workspace as a staging area for untrusted content.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The activation scope is phrased as broad natural-language intents such as 'send audio file' or 'play', without tight trigger conditions or confirmation requirements. This can cause the skill to activate on ambiguous user input and perform network downloads, file writes, or file delivery actions unexpectedly, especially in chat contexts where commands may be informal or quoted.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill description explains that media is downloaded into the workspace and later dispatched, but it does not clearly warn users that untrusted remote content will be fetched and written to local storage. Missing disclosure reduces informed consent and can hide storage, malware screening, copyright, and privacy risks associated with downloading and persisting third-party media and scraped metadata.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The manifest declares a skill that downloads and delivers media while requesting both executable access and filesystem write permissions, yet it does not provide any explicit user-facing warning or consent language about those impactful operations. In a media-handling skill, this increases the risk of users unknowingly invoking downloads, file creation, or external tool execution, which can lead to unexpected disk usage, policy violations, or misuse of local resources.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill performs external network retrieval and then forwards the resulting media to a chat target without any explicit user-facing disclosure or confirmation at execution time. In an agent setting, this can enable silent exfiltration-like behavior, unexpected bandwidth/storage consumption, and user surprise because file creation and outbound transfer happen automatically.

Unvalidated Output Injection

High
Category
Output Handling
Content
# Determine source based on chat_target (WhatsApp or Telegram)
            source = "whatsapp" if chat_target and chat_target.startswith("+") else "telegram"
            cmd = ["python3", str(spotify_script_path), source, query]
            spotify_result = subprocess.run(cmd, capture_output=True, text=True, check=True)
            log_output(f"Spotify Surface output: {spotify_result.stdout}")
            # spotify_surface script already handles output emission
            return
Confidence
84% confidence
Finding
subprocess.run(cmd, capture_output

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.