Polling Best Practices (J-Claw)

Security checks across malware telemetry and agentic risk

Overview

This skill is review-worthy because it can create persistent background pollers that run local commands, send Discord messages, and optionally trigger more agent work.

Install only if you intentionally want agents to create and run background polling scripts. Before launch, inspect the generated poll.sh, avoid untrusted command or message inputs, keep agent chaining disabled unless explicitly needed, record the PID, and make sure you know how to stop the process.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Context-Inappropriate Capability

Medium

Confidence: 81% confidence
Finding: The template includes a built-in path to invoke `openclaw agent` for workflow chaining, which expands the script from passive polling into agent-initiated action execution. In a skill framed as polling best practices, this increases risk because task completion can automatically trigger additional privileged behavior based on injected message content, making misuse or prompt/command propagation easier if the template is adapted without tight controls.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal