Back to skill

Security audit

GrayMatter

Security checks across malware telemetry and agentic risk

Overview

GrayMatter is a disclosed business-memory integration, but it gives an agent broad authenticated access to live organizational data with automatic credential reuse and limited scoping controls.

Install only if you want this agent to use a ValkyrAI account as durable memory and to inspect or create RBAC-permitted business records. Use a dedicated least-privilege account or per-request token, avoid shared admin tokens, confirm which workspace/account Keychain credentials will be reused, and treat entity creation or generic API calls as actions requiring explicit user intent.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill advertises and instructs use of powerful capabilities including shell execution, network access, file reads/writes, and environment-variable handling, but it does not declare permissions. This weakens operator visibility and consent, making it easier for a user or host system to grant broad access without understanding that the skill can authenticate, persist data, call remote APIs, and modify local state.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The described purpose is memory/schema access, but the skill text also directs packaging local servers, performing credential workflows, opening signup/credit UX, registering agents, and creating arbitrary business entities. That mismatch is dangerous because users may trust the skill for limited memory use while it actually has a much broader operational and data-modifying footprint across a live business API.

Credential Access

High
Category
Privilege Escalation
Content
- `VALKYR_JWT_SESSION` as a compatible env fallback

Preferred auth behavior is OpenClaw-first:
- check Keychain for `VALKYR_AUTH` first
- if present, reuse it automatically
- otherwise prompt for username/password
- exchange for a `VALKYR_AUTH` token
Confidence
84% confidence
Finding
Keychain

Credential Access

High
Category
Privilege Escalation
Content
- if present, reuse it automatically
- otherwise prompt for username/password
- exchange for a `VALKYR_AUTH` token
- store it in Keychain

If activation can write/read by id and register the agent but semantic memory query is blocked by missing credits, treat that as a degraded startup state rather than total activation failure. Preserve auth, register the agent, sync the schema, and surface that query/list capability is limited until credits are available.
Confidence
87% confidence
Finding
Keychain

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.env_credential_access, suspicious.exposed_secret_literal

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
mcp-server/index.js:649

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
mcp-server/test/server.test.js:139

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
mcp-server/test/server.test.js:142

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
tests/gm_install_check_test.sh:43

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
tests/gm_login_test.sh:169