MCP Workflow

Security checks across malware telemetry and agentic risk

Overview

This workflow skill is not overtly malicious, but it exposes broad local file-reading and persistent workflow state without enough limits or warnings.

Install only if you are comfortable running an MCP server that can read any local file its process can access. Use it only with trusted clients and preferably inside a restricted project directory or sandbox; avoid storing secrets in workflow memory or logs. A safer version should restrict file:// reads to an allowlisted workspace, document persistence clearly, and add redaction/retention guidance for logs and memory.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (10)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 72% confidence
Finding: The skill advertises executable behavior that relies on environment/configuration and server startup, but it does not declare permissions or clearly scope those capabilities. In an agent setting, hidden capability requirements reduce transparency and can lead to the skill being granted broader execution context than users expect.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The documented behavior goes well beyond 'workflow automation' and includes arbitrary local file access, persistent memory storage, local server lifecycle control, scaffolding/export of local files, and prompt rendering utilities. This mismatch is dangerous because users may approve or load the skill under a much narrower trust assumption than the actual capabilities warrant, enabling data exposure or unintended system changes.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The server advertises a `file://{path}` resource template, explicitly exposing local file access to MCP clients. For a workflow-automation skill, this broad file-system capability exceeds the stated purpose and can enable unauthorized reading of sensitive files if a connected client requests arbitrary paths.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The `ReadResource` handler reads any path supplied in a `file://` URI using `fs.readFileSync` with no sandboxing or path validation. This creates an arbitrary local file-read primitive that can expose secrets such as SSH keys, environment files, tokens, or application configs to any MCP client able to call the resource.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The guidance to 'Log Everything' includes recording raw workflow input and output, which can easily capture secrets, personal data, proprietary prompts, or tool results. In an MCP workflow context, those values may come from multiple servers and external triggers, increasing the chance that sensitive data is retained in logs without minimization, redaction, or retention controls.

Missing User Warnings

Medium

Confidence: 74% confidence
Finding: `cmd_run` persists the workflow context to `.mcp/.workflow-memory.json` on every step without any disclosure, opt-in, or sensitivity filtering. If the input JSON contains secrets, tokens, prompts, or private workflow data, they will be silently written to disk where they may be exposed to other local users, backups, or later processes.

Missing User Warnings

Medium

Confidence: 77% confidence
Finding: The `memory set` and `memory del` commands modify a persistent JSON file on disk without clearly warning the user that data is being stored or removed from `.mcp/.workflow-memory.json`. This can lead to accidental retention of sensitive values or destructive changes to shared state, especially when used in automation or by users who assume the operation is in-memory only.

Missing User Warnings

Medium

Confidence: 80% confidence
Finding: Starting the server launches a background Node process and appends stderr to a log file without an explicit warning that a subprocess will continue running and logs will be written persistently. In a skill context, silent background execution and log persistence are meaningful trust-boundary issues because users may not expect long-lived processes or disk artifacts from a workflow command.

Ssd 3

Medium

Confidence: 93% confidence
Finding: The example normalizes logging full inputs and outputs in plain language, which can lead to persistent storage of sensitive user-provided data, tokens, internal documents, or generated content. Because this skill discusses workflow automation, cross-server workflows, and external triggers, the logging pattern is more dangerous than in a toy example: it can aggregate data from several systems into a single, long-lived audit trail.

Session Persistence

Medium

Category: Rogue Agent
Content: ## Configuration Create `~/.openclaw/mcp-workflow.json`: ```json { "servers": [
Confidence: 79% confidence
Finding: Create `~/.openclaw

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal