ClawHub
Back to skill

Security audit

Local Model Optimizer

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims, but its full auto setup performs real local installation, model downloads, and OpenClaw config changes.

Install only if you want an agent helper that can set up Ollama locally. Run detect or recommend first for read-only guidance; run auto only if you are comfortable installing Ollama, downloading large model files, and changing files under ~/.openclaw. Back up ~/.openclaw/openclaw.json before using auto.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (7)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
print("  📥 Installing Ollama...")
    try:
        if platform.system() == 'Linux':
            result = subprocess.run(
                ['sh', '-c', 'curl -fsSL https://ollama.com/install.sh | sh'],
                capture_output=True, text=True, timeout=300
            )
Confidence
99% confidence
Finding
result = subprocess.run( ['sh', '-c', 'curl -fsSL https://ollama.com/install.sh | sh'], capture_output=True, text=True, timeout=300 )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
capture_output=True, text=True, timeout=300
            )
        elif platform.system() == 'Darwin':
            result = subprocess.run(
                ['brew', 'install', 'ollama'],
                capture_output=True, text=True, timeout=300
            )
Confidence
90% confidence
Finding
result = subprocess.run( ['brew', 'install', 'ollama'], capture_output=True, text=True, timeout=300 )

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill advertises capabilities that can read files, write configuration, and invoke shell commands, but it does not declare permissions or boundaries for those actions. That creates a real security issue because users and the platform cannot clearly assess or constrain what system modifications the skill may perform, especially since the workflow includes installation and configuration steps.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The skill description emphasizes recommending and configuring local models, but the implementation also installs Ollama by fetching and executing a remote shell installer. That hidden expansion of capability is dangerous because users may invoke the skill expecting analysis/config only, while it can actually execute unreviewed remote code and make persistent host changes.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code performs host-modifying installation actions (`curl | sh` and `brew install`) that go beyond a narrow optimization helper and materially change the system. In a skill ecosystem, broader-than-advertised execution capabilities increase the blast radius of misuse and make trust decisions harder for users and orchestrators.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill's quick-start and command descriptions promote automated installation, model downloads, routing changes, and writes to local configuration without a clear warning that it will modify the host system. In context, this is more dangerous because the skill is specifically designed to inspect hardware, install software, and alter application behavior, so a user could trigger impactful changes without informed consent.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
In the automated setup flow, if Ollama is missing, the script proceeds to install it without interactive approval. Automatic execution of installation commands—especially when one path uses a remote shell installer—creates a high-risk surprise side effect that can lead to unauthorized software changes or remote code execution.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.