Qordinate - Durable lists, facts, and reminders for OpenClaw agents.

Security checks across malware telemetry and agentic risk

Overview

This is a small instruction-only memory skill that clearly tells agents to send selected reminders, contacts, tasks, and facts to Qordinate through WhatsApp, Telegram, or Slack.

Install only if you are comfortable with your agent storing selected memory in Qordinate through the chosen chat platform. Set clear rules for what may be saved, and avoid secrets, credentials, tokens, health or financial details, private internal material, or anything that should not leave the local agent environment.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill explicitly instructs agents to send user facts, tasks, reminders, preferences, contacts, and other structured data to Qordinate via WhatsApp, Telegram, or Slack, but the description does not clearly warn users that their data will leave the local agent environment and be processed by multiple third-party services. This creates a real privacy and consent issue because sensitive information may be transmitted externally without informed user awareness.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal