Back to skill

Security audit

Activity Notifier

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it says: send concise agent activity updates to Discord, with the main privacy caution that those updates may reveal task details outside OpenClaw.

Install this only if you are comfortable with activity updates being posted to the configured Discord channel. Verify the channel ID, keep messages high-level, and avoid using it for secrets, confidential client work, sensitive filenames, private URLs, or internal incident details unless the Discord audience is trusted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This skill is explicitly designed to send agent activity updates to Discord, an external third-party service, but it does not warn the user that task metadata will leave the local agent environment. Even if the messages are intended to be high-level status updates, they can still disclose sensitive operational details such as what the agent is doing, timing, progress, failures, and possibly task context, creating a privacy and data-leakage risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.