ARC Reactor

Security checks across malware telemetry and agentic risk

Overview

The skill is a real research and knowledge-base tool, but it grants broad automatic web access, background execution, persistent storage, and external delivery behavior that users should review before installing.

Install only if you want an autonomous research/wiki system, not a passive summarizer. Use a dedicated workspace, avoid sensitive media or private URLs, review any configured API keys, disable AUTO_SYNC unless you explicitly want Obsidian copies, and require confirmation before link ingestion, cloud transcription, background workers, or Telegram/Discord file delivery.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger

Findings (29)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: import json def run(cmd): result = subprocess.run(cmd, shell=True, capture_output=True, text=True) return result.stdout.strip(), result.returncode def audit():
Confidence: 96% confidence
Finding: result = subprocess.run(cmd, shell=True, capture_output=True, text=True)

Tainted flow: 'params' from os.environ.get (line 291, credential/environment) → requests.post (network output)

Critical

Category: Data Flow
Content: with open(audio_path, "rb") as f: audio_data = f.read() resp = requests.post( endpoint, headers=headers, params=params,
Confidence: 89% confidence
Finding: resp = requests.post( endpoint, headers=headers, params=params, data=audio_data, timeout=30 )

Tainted flow: 'sub_url' from os.environ.get (line 619, credential/environment) → requests.get (network output)

Critical

Category: Data Flow
Content: sub_url = subtitles[lang][0].get("url") if sub_url: try: sub_resp = requests.get(sub_url, timeout=30) sub_resp.raise_for_status() auto_subtitle = sub_resp.text break
Confidence: 93% confidence
Finding: sub_resp = requests.get(sub_url, timeout=30)

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The spec explicitly instructs the agent to persist a user-provided path into `.env`, which is a local configuration file with lasting side effects beyond the immediate task. In a skill whose primary purpose is knowledge compilation, silently modifying local config expands scope and can create unsafe persistence, especially if the path is malformed, sensitive, or later reused by other tooling.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The dispatcher explicitly instructs the agent to execute shell commands that create directories, touch files, and remove files on the local filesystem. Even though framed as validation, this expands the skill from knowledge compilation into host-side command execution and filesystem modification, which is risky because it acts on user-provided paths and is not necessary for the core wiki-ingestion purpose.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The document broadens the skill's behavior from compiling knowledge into automatically configuring local Obsidian sync and modifying workspace settings. This increases the agent's authority over local state and introduces persistence/configuration side effects that are outside the stated skill scope, making accidental or unauthorized changes more likely.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The file instructs the front orchestrator to invoke system-level spawn/sub-agent creation and yield control mechanisms, which materially broadens the skill from content ingestion into agent runtime orchestration. In a hostile or misconfigured environment, this enables unbounded background task creation and reduced user visibility over what actions are being taken, especially when paired with web fetching and autonomous continuation.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The protocol requires workers to physically generate files and references cross-domain popup/group delivery, describing persistence and external delivery capabilities beyond the declared knowledge-compilation purpose. That combination increases the risk of unauthorized data storage, unintended exfiltration, and side effects outside the user’s immediate session.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The guidance redefines the skill as a front-agent dispatch and worker-management framework rather than a simple knowledge compilation tool. This scope expansion is dangerous because it encourages the orchestrator to act as a general control plane, increasing attack surface and making it easier to hide risky actions behind seemingly benign ingestion requests.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The template instructs workers to send a source file to a Telegram user even though the skill’s core purpose is knowledge ingestion and compilation. This adds an external data-exfiltration channel that can disclose scraped, transcribed, or synthesized content without clear necessity, authorization checks, or destination validation.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The document explicitly requires the skill to perform autonomous outbound research for disputes, reputation, and competitor analysis beyond the user-provided material. This expands the skill from ingestion/compilation into unsandboxed investigative behavior, which can trigger unnecessary data egress, scope creep, and collection of unrequested third-party information.

Intent-Code Divergence

Medium

Confidence: 98% confidence
Finding: The file redefines the skill as an aggressive autonomous researcher rather than a compiler for supplied sources, contradicting the stated skill purpose. When documentation authorizes behavior beyond the manifest, users and downstream systems may not anticipate outbound actions, increasing the risk of privacy violations, policy bypass, and misuse of enabled tools.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The README provides direct execution examples for archiving content and performing context injection, but it gives no warning about what data may be stored, transmitted, or reused. In a knowledge-ingestion skill, these commands can cause operators or agents to process sensitive user content, persist it to a wiki/archive, or inject retrieved material into later prompts without informed consent, which increases the risk of unintended data retention and context contamination.

Vague Triggers

High

Confidence: 97% confidence
Finding: The trigger phrases include very common expressions such as '帮我看', '读一下', and '看看这个', making accidental activation likely during normal conversation. Because activation can lead to spawning workers, network fetching, transcription, and file writes, broad triggers materially increase the risk of unintended privileged actions.

Vague Triggers

High

Confidence: 98% confidence
Finding: The natural-language trigger section says that ordinary phrases and even sending any link should automatically trigger Ingest + Display. In this skill's context, that is especially risky because ingest is not passive: it invokes tools, may access external content, writes to a persistent wiki, and can trigger downstream sync behavior.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The spec combines persistent configuration writes and subsequent filesystem operations without requiring a clear warning or explicit consent. That is dangerous because users may not realize the agent will alter local configuration and enable future automatic writes to an external vault path.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: Automatic copying of generated reports into an Obsidian vault can disclose sensitive source material into a broader personal knowledge store, cloud-synced folder, or shared workspace. Without a privacy warning and opt-in, users may unintentionally export confidential or proprietary content to locations with different retention and access controls.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The instructions tell the agent to write user-supplied paths into `.env` or `openclaw.json`, creating persistent local configuration changes without an explicit warning or confirmation step. This is dangerous because it can silently alter workspace behavior, store incorrect or sensitive paths, and make later actions operate on unintended locations.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The validation flow performs real writes and deletes in the user's Obsidian vault using `mkdir`, `touch`, and `rm` without clearly warning that test artifacts will be created. Even temporary writes can affect synced vaults, trigger plugins/automation, or modify sensitive directories if the configured path is wrong.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The rule mandates automatic compilation after every report and allows creating or updating multiple knowledge files without any explicit user confirmation or warning that persistent state will be modified. In this skill context, the agent ingests external content and may perform broad file writes, so silent persistence can surprise users, pollute the knowledge base, and make prompt-injected or low-quality source material durable.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The instruction to directly overwrite existing data with new values for data conflicts enables destructive updates without validation, user approval, or preservation of prior state. In a knowledge-ingestion skill handling untrusted web, article, and video sources, this is especially dangerous because incorrect, manipulated, or prompt-injected content can silently replace trusted facts and corrupt downstream retrieval and decision-making.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The markdown directs background workers to generate files as a side effect without any user-facing disclosure that the system will write artifacts to storage. Silent persistence is risky because it can create unexpected data retention, overwrite conflicts, or local artifact buildup from untrusted sources.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The protocol directs immediate web crawling and concurrent background execution without warning the user about network access, data collection, or downstream handling. In the context of a skill that ingests arbitrary URLs and articles, this is more dangerous because attacker-supplied links can trigger broad outbound requests and opaque processing of untrusted content.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger phrases are very broad and overlap with ordinary conversational language such as asking the assistant to 'look at this' or 'search this'. In this skill, those phrases can automatically invoke ingest behavior on arbitrary external content, increasing the chance of unintended activation, unwanted network/file processing, and accidental persistence of data into the knowledge base.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The template directs the worker to send source files to a Telegram recipient without any privacy notice, consent check, or warning about potentially sensitive content. Because this skill aggregates material from URLs, articles, and transcriptions, the generated source may contain personal, copyrighted, or confidential data that is then disclosed through an external messaging channel.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal