cloudguard

Security checks across malware telemetry and agentic risk

Overview

CloudGuard mostly matches its local IaC scanner purpose, but its license handling creates avoidable key-exposure and local code-execution risks.

Install only if you are comfortable reviewing or patching the license-handling scripts. Prefer a protected environment variable or restricted OpenClaw config file over --license-key, do not use license tokens from untrusted sources, and enable the lefthook integration only in repositories where commit/push blocking is acceptable.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: Accepting a license key via a CLI flag and exporting it to the environment can expose the secret through shell history, process listings, CI logs, and debugging output. In a developer-tool context, users may pass real commercial credentials on shared systems, making accidental disclosure plausible.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal