Back to skill

Security audit

Php Full Stack Developer

Security checks across malware telemetry and agentic risk

Overview

This Markdown-only PHP development workflow is coherent and disclosed, with memory and logging behavior that fits its cross-session governance purpose.

Install this only if you want a governance-heavy PHP development assistant that uses OpenClaw workspace memory and local logs. Keep secrets, credentials, and unnecessary personal data out of those memory/log files, and review logged entries for sensitive project details.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly instructs the agent to read multiple workspace memory files, including persistent user and session context, without any requirement for user consent, minimization, or warning that sensitive data may be accessed. In an agent runtime, this creates a real privacy and overreach risk because the skill can cause collection of unrelated secrets or historical context beyond what is necessary for the current task.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill directs the agent to write activity, decisions, conflicts, and cached facts into persistent workspace logs without warning the user that workspace state will be modified or that user-derived data may be retained. This is dangerous because it can silently persist sensitive task content, create unexpected side effects, and contaminate future sessions with data the user did not intend to store.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.