Openclaw Skill

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real sandboxed command runner, but it overstates its safeguards and leaves a local command-execution daemon running after use.

Review carefully before installing. Treat this as a Bubblewrap wrapper around arbitrary shell commands, not as a complete approval, audit, or loop-prevention system. Use it only in a controlled workspace, assume commands can change files in the current directory, and be prepared to stop the background daemon and clear its cache when finished.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (3)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill advertises shell, network, and environment-related capabilities without declaring corresponding permissions, which undermines transparency and any permission-based trust model. In an agent context, undeclared access increases the chance that the skill can perform actions operators did not knowingly authorize, especially when paired with command execution and a daemonized control layer.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The documented purpose is a narrow shell sandbox, but the behavior described by analysis is materially broader: runtime compilation, persistent daemon management, local API exposure, policy mediation over file and network activity, and optional TCP listening. This mismatch is dangerous because users and agents may trust the skill as a constrained safety wrapper while it actually introduces new long-lived attack surface, network exposure, and broader interception capabilities.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: This code exposes direct shell execution via `sh -c` and passes an arbitrary `command` string into the shell, creating a powerful command-execution primitive. Although Bubblewrap reduces host impact, the skill is explicitly designed to run shell commands for AI agents and makes the provided working directory writable inside the sandbox, so misuse can still damage project files, exfiltrate accessible data, or execute unsafe actions within the mounted workspace.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal