Kiro Realtime Chat

Security checks across malware telemetry and agentic risk

Overview

This is a local file-based chat helper whose behavior matches its stated purpose, but messages persist in a shared plaintext JSON file.

Install only if you are comfortable with local plaintext chat history in ~/.openclaw/workspace/memory/kiro-realtime.json. Do not send secrets through it, treat received messages as untrusted input, and stop any polling loop when coordination is finished.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill explicitly stores chat contents in a shared JSON file without any warning about plaintext persistence, access controls, or sensitivity restrictions. In a multi-instance environment, this can expose conversation contents, task data, prompts, or secrets to any local user, process, backup system, or log pipeline that can read the file, making unintended disclosure plausible.

Missing User Warnings

Medium

Confidence: 81% confidence
Finding: The script mutates the shared chat file by updating `lastCheck` and marking messages as read without any user-facing warning or confirmation. In a shared or automation-driven environment, simply inspecting messages can silently destroy unread-state evidence, cause missed communications, and create audit ambiguity about whether a user actually reviewed the messages.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal