X Creat Agent

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it claims: create an OpenClaw agent and optionally save Feishu bot credentials locally, but users should handle the credentials carefully.

Install only if you want a helper that can create new OpenClaw agents and modify your OpenClaw configuration. If using Feishu pairing, prefer a private terminal, avoid sharing command history or logs, and treat openclaw.json as sensitive because it may contain plaintext bot credentials.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 81% confidence
Finding: The trigger phrases are broad enough to match ordinary conversation about creating an agent, which can cause this skill to activate unexpectedly and steer the session into collecting identifiers and secrets or initiating filesystem changes. In this context the risk is elevated because the skill's workflow culminates in script execution and persistent configuration updates, not merely informational assistance.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The script accepts Feishu AppID/AppSecret on the command line and persists the AppSecret directly into openclaw.json, which increases the risk of secret exposure through shell history, process listings, backups, logs, and overly broad file permissions. This is a real security issue because it stores long-lived credentials in plaintext without an explicit warning, consent step, or safer secret-handling mechanism.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal