Security audit

skill-sediment

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it installs a background conversation reviewer that can persist and promote generated skills and reports session metadata to backend services with insufficient user-facing disclosure.

Install only if you are comfortable with a background reviewer reading OpenClaw conversations, persisting derived workflow notes, reporting session metadata to backend services, and eventually activating generated skills for future sessions. Restrict validAgentId, disable auto-review if not needed, review sedimented skills before relying on them, avoid discussing secrets in sessions where this is active, and use a pinned SHA-256 if the CDN fallback is ever used.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (22)

Tainted flow: 'OPENCLAW_JSON' from os.environ.get (line 72, credential/environment) → pathlib.Path.write_text (file write)

Medium

Category: Data Flow
Content: bak = OPENCLAW_JSON.with_suffix(f".json.bak.{int(time.time())}") shutil.copy(OPENCLAW_JSON, bak) log(f"Backed up original config → {bak.name}") OPENCLAW_JSON.write_text( json.dumps(cfg, indent=2, ensure_ascii=False) + "\n" ) ok("openclaw.json written")
Confidence: 89% confidence
Finding: OPENCLAW_JSON.write_text( json.dumps(cfg, indent=2, ensure_ascii=False) + "\n" )

Tainted flow: 'req' from os.environ.get (line 216, credential/environment) → urllib.request.urlopen (network output)

Critical

Category: Data Flow
Content: req = urllib.request.Request( CDN_PLUGIN_TARGZ, headers={"User-Agent": "skill-sediment-installer"} ) with urllib.request.urlopen(req, timeout=60) as resp, open( dest_targz, "wb" ) as f: shutil.copyfileobj(resp, f)
Confidence: 98% confidence
Finding: with urllib.request.urlopen(req, timeout=60) as resp, open(

Tainted flow: 'OPENCLAW_JSON' from os.environ.get (line 72, credential/environment) → pathlib.Path.write_text (file write)

Medium

Category: Data Flow
Content: OPENCLAW_JSON, OPENCLAW_JSON.with_suffix(f".json.bak.{int(time.time())}"), ) OPENCLAW_JSON.write_text( json.dumps(cfg, indent=2, ensure_ascii=False) + "\n" ) ok("openclaw.json updated")
Confidence: 88% confidence
Finding: OPENCLAW_JSON.write_text( json.dumps(cfg, indent=2, ensure_ascii=False) + "\n" )

Tainted flow: 'OPENCLAW_JSON' from os.environ.get (line 72, credential/environment) → shutil.copy (file write)

Medium

Category: Data Flow
Content: # Don't accumulate backups in managed envs; only back up in unmanaged envs if not is_managed: bak = OPENCLAW_JSON.with_suffix(f".json.bak.{int(time.time())}") shutil.copy(OPENCLAW_JSON, bak) log(f"Backed up original config → {bak.name}") OPENCLAW_JSON.write_text( json.dumps(cfg, indent=2, ensure_ascii=False) + "\n"
Confidence: 86% confidence
Finding: shutil.copy(OPENCLAW_JSON, bak)

Tainted flow: 'OPENCLAW_JSON' from os.environ.get (line 72, credential/environment) → pathlib.Path.write_text (file write)

Medium

Category: Data Flow
Content: entry_cfg.setdefault("enabled", True) entry_cfg.setdefault("config", {})["validAgentId"] = valid_agent try: OPENCLAW_JSON.write_text( json.dumps(cfg_now, indent=2, ensure_ascii=False) + "\n" ) ok(f"validAgentId written: {valid_agent}")
Confidence: 89% confidence
Finding: OPENCLAW_JSON.write_text( json.dumps(cfg_now, indent=2, ensure_ascii=False) + "\n" )

Tainted flow: 'OPENCLAW_JSON' from os.environ.get (line 72, credential/environment) → pathlib.Path.write_text (file write)

Medium

Category: Data Flow
Content: entry_cfg.setdefault("enabled", True) entry_cfg.setdefault("config", {})["validAgentId"] = valid_agent try: OPENCLAW_JSON.write_text( json.dumps(cfg_now, indent=2, ensure_ascii=False) + "\n" ) sync_plugins_to_clawconfig(cfg_now)
Confidence: 89% confidence
Finding: OPENCLAW_JSON.write_text( json.dumps(cfg_now, indent=2, ensure_ascii=False) + "\n" )

Tainted flow: 'OPENCLAW_JSON' from os.environ.get (line 72, credential/environment) → shutil.copy (file write)

Medium

Category: Data Flow
Content: if changed: is_managed, _ = detect_managed_env() if not is_managed: shutil.copy( OPENCLAW_JSON, OPENCLAW_JSON.with_suffix(f".json.bak.{int(time.time())}"), )
Confidence: 86% confidence
Finding: shutil.copy( OPENCLAW_JSON, OPENCLAW_JSON.with_suffix(f".json.bak.{int(time.time())}"), )

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: This code reports review subagent sessions to external backends via reportSession and may send whitelist notifications through sendUserQueryWhitelistHiMessage, even though the declared skill scope is limited to local install/operation workflows. That creates an undisclosed data egress path for session metadata and review activity, which is risky because users and operators would not reasonably expect backend reporting from this skill.

Description-Behavior Mismatch

Medium

Confidence: 98% confidence
Finding: The file emits UBA telemetry containing parent session key/id, review session key, agent ID, model name, token usage, outcome labels, and skill names. Because the manifest does not disclose analytics collection/export, this is an undocumented exfiltration channel for operational and potentially sensitive conversation metadata.

Description-Behavior Mismatch

High

Confidence: 95% confidence
Finding: The promote action moves agent-generated content from the isolated sediment area into the engine-loaded skills/ directory, which changes it from inert draft data into active code/instructions the platform will automatically load in future sessions. In the context of a plugin whose declared purpose is install/repair/diagnostics, this is a capability expansion that can be abused for persistence and unauthorized behavior injection even though the file includes some scanning and maturity checks.

Description-Behavior Mismatch

Medium

Confidence: 86% confidence
Finding: This file exposes full skill lifecycle management primitives—create, edit, patch, delete, and arbitrary supporting-file writes—which materially exceed a narrow plugin-management role and enable an agent to rewrite its own reusable instruction set. In an agent skill ecosystem, that is security-sensitive because it creates a self-modification surface that can be used to plant harmful instructions or stage later promotion into active skills.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The scanner explicitly exempts `builtin` skills from any inspection and returns a hardcoded safe verdict. That creates a trust-based bypass: if an attacker can get a malicious skill classified or shipped as built-in, all detection and install-policy controls are skipped.

Intent-Code Divergence

High

Confidence: 93% confidence
Finding: The documentation asserts sediment_skills is the only write base and that the plugin cannot modify non-sediment skills, but later code promotes content into skills/ and migrates legacy entries there. That mismatch weakens operator trust and can conceal broader write capability into the live skill namespace, increasing the risk of unintended overwrite, privilege expansion, or persistence in the active skills set.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The README states that a background sub-agent listens to conversations and writes successful workflows into SKILL.md files, but it does not present a prominent privacy notice, consent step, or data-handling warning at the point of description. Because conversation content may include secrets, proprietary data, or personal information, silent or insufficiently disclosed background capture can lead to unintended persistence and later exposure of sensitive material.

Missing User Warnings

Low

Confidence: 84% confidence
Finding: The install/recover/heal descriptions indicate deployment, config changes, and restart behavior, but they do not foreground that running these commands can modify plugin state, alter allowlists, and potentially restart the gateway. This is dangerous mainly from an operational transparency standpoint: users may trigger state-changing actions without understanding service interruption or configuration side effects.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The trigger phrases include broad terms like 'sediment not working' and 'install/port/clone sediment', which can overlap with ordinary support conversations and cause accidental activation of a skill that performs filesystem changes, config edits, or restart-related actions. In a privileged agent environment, ambiguous activation increases the chance of unintended operational changes from casual troubleshooting requests.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: When gates pass, the plugin fetches parent session messages, condenses them, and sends that conversation context to a background review subagent with no evidence of user disclosure or consent in this file. Even if the subagent is internal, this duplicates and propagates user conversation content beyond the primary interaction path, increasing privacy exposure and the blast radius of prompt/data leakage.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The telemetry path sends session identifiers, review outcome data, skill names, model identifiers, and token-usage metrics without any user-facing disclosure in this file. This is dangerous because metadata of this kind can reveal user activity patterns, model usage, and internal workflow details even if full message content is not exported.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The plugin reports review sessions to an external backend for traceability and may emit additional whitelist notifications, but this reporting is not disclosed in the file's user-facing behavior. Undisclosed traceability/reporting introduces privacy and governance risk because it creates external records of review activity tied to session identities.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The document states that the plugin automatically writes successful workflows to `SKILL.md` files in the workspace, but it does not mention user consent, visibility, or safeguards around filesystem modification. In an agent/plugin context, silent creation and promotion of files can alter trusted skill directories and persist LLM-generated content without review, which creates a real integrity and supply-chain risk.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The review prompt explicitly requires the sub-agent to quote user text verbatim, preserve ordered user intents, and carry forward artefact summaries in a handoff block. That creates a built-in retention channel for potentially sensitive user data, increasing the chance that private content is persisted, resurfaced in later reviews, or written into generated skill material beyond the original session scope.

Ssd 3

Medium

Confidence: 93% confidence
Finding: The prior-handoff preamble instructs the reviewer to reuse context from previous reviews of the same session, enabling accumulated natural-language memory across review cycles. In a plugin whose purpose is to transform conversations into reusable artifacts, this increases the risk that sensitive user data is retained longer than necessary and later reintroduced into prompts, outputs, or promoted skills.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal