Back to skill

Security audit

Event-Watcher

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims: it watches configured events and can wake or message OpenClaw sessions, but it needs careful configuration because it runs in the background and handles event payloads locally.

Install only if you want a background process that can automatically wake or message OpenClaw sessions from Redis or webhook events. Keep the safety preamble enabled for untrusted sources, use narrow filters and reply targets, disable session-store lookup if you do not want local session metadata read, protect or rotate local logs and dead-letter files, and pin redis/pyyaml before production use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill advertises operational behavior that relies on filesystem access, shell execution, environment use, and writing/reading config and event data, but it declares no explicit permissions. That mismatch weakens policy enforcement and informed consent because an agent or platform may run a skill with broader effective capabilities than the manifest communicates. In this context, the risk is elevated because the skill processes untrusted event payloads and is intended to run persistently in the background, increasing the chance that undeclared capabilities could be abused for data access, command execution, or unintended persistence.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill searches local OpenClaw session-store files and uses their contents to resolve session IDs and routing context without explicit user approval. In this event-watcher context, that creates a powerful cross-session capability: incoming events can cause the watcher to target existing user sessions discovered from disk, enabling unintended access, message injection into active conversations, and privacy exposure across agents.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
This code can invoke OpenClaw agents and send outbound messages as an automated reaction to untrusted events, effectively bridging external event sources to agent execution and communications. In an event automation skill, that is especially dangerous because a crafted event can wake an agent, influence its prompt, and potentially trigger replies or actions without an interactive user checkpoint.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The prompt-file feature tells the downstream agent to read an arbitrary local file for instructions, which expands an untrusted event-triggered workflow into local file access. In this watcher context, that is dangerous because configuration can silently turn external events into prompts that cause the agent to ingest sensitive local files or attacker-planted prompt content, undermining the intended 'treat payload as untrusted data' boundary.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The watcher reads potentially sensitive session metadata from local files with no user-facing disclosure or consent mechanism. While this is more a privacy and trust-boundary weakness than an exploit primitive, it materially increases the chance of unauthorized session correlation and hidden cross-session behavior in an automation skill.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
This function silently triggers OpenClaw session delivery through a subprocess, which can cause side effects on behalf of the user without obvious runtime disclosure. In an event watcher, hidden automated delivery makes misuse harder to detect and amplifies the consequences of malicious or noisy event sources.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The watcher executes an external agent, captures its output, and may forward that output onward without explicit warning about what data may leave or be processed. This is risky in context because untrusted events can trigger hidden agent processing chains whose outputs may contain sensitive information or unintended actions.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
Outbound message transmission to arbitrary configured channels/targets occurs without a clear user-facing warning, allowing the watcher to act as a hidden exfiltration or notification path. In an event-driven automation skill, that absence of transparency increases the damage from malicious events, configuration abuse, or prompt-manipulated agent responses.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
Dead-letter logging stores full event payloads to disk without a clear retention warning, which can preserve secrets or sensitive personal data from external events. Because this skill ingests webhook and stream data, local persistence of failed payloads broadens the blast radius of any sensitive event contents.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
Operational logging writes event metadata and message previews to disk, which may include sensitive event identifiers, routing details, or excerpts of prompts. In this automation setting, those logs can become a secondary data leak channel, especially because previews may contain transformed untrusted content destined for agents.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The script persists full webhook payloads to a JSONL file without any notice, consent flow, redaction, or access-control handling. Because webhook payloads commonly contain personal data, secrets, tokens, or internal event contents, this creates a data exposure and retention risk if the file is read by other users, backed up insecurely, or stored longer than intended.

Unpinned Dependencies

Low
Category
Supply Chain
Content
redis
pyyaml
Confidence
98% confidence
Finding
redis

Unpinned Dependencies

Low
Category
Supply Chain
Content
redis
pyyaml
Confidence
99% confidence
Finding
pyyaml

Known Vulnerable Dependency: redis — 4 advisory(ies): CVE-2023-28858 (redis-py Race Condition vulnerability); CVE-2023-28859 (redis-py Race Condition due to incomplete fix); CVE-2023-28858 (redis-py before 4.5.3, as used in ChatGPT and other products, leaves a connectio) +1 more

High
Category
Supply Chain
Confidence
95% confidence
Finding
redis

Known Vulnerable Dependency: pyyaml — 8 advisory(ies): CVE-2019-20477 (Deserialization of Untrusted Data in PyYAML); CVE-2020-1747 (Improper Input Validation in PyYAML); CVE-2020-14343 (Improper Input Validation in PyYAML) +5 more

Critical
Category
Supply Chain
Confidence
99% confidence
Finding
pyyaml

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.