envguard

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate secret-scanning skill, but it can scan broad local data and make lasting security-configuration changes that deserve review.

Install only if you want a broad local secret-scanning tool. Before using it, review commands that scan full history or arbitrary paths, confirm before installing hooks, and keep allowlist entries narrow and repository-specific whenever possible.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (4)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill declares no permissions, but its documented behavior includes reading environment variables and writing configuration or hook files. That creates a transparency and least-privilege problem: users and orchestration systems may authorize or invoke the skill without understanding that it accesses secrets and modifies files.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The skill is presented as a pre-commit secret detector, but the documentation describes substantially broader behavior: scanning arbitrary directories, staged diffs, full git history, config mutation, policy loading, and license processing. This mismatch can mislead users into granting trust or invoking the skill in contexts far beyond what its headline description suggests, increasing the risk of unintended access to sensitive source, history, and local configuration.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The allowlist feature persists user-supplied patterns into ~/.openclaw/openclaw.json, creating durable scanner exceptions at user scope. Because this mutates global security configuration and accepts arbitrary patterns, an overly broad or deceptive allowlist entry can silently suppress future secret detections across contexts.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The invocation examples are broad and map to common security-assistance phrases, which can cause the skill to trigger in situations where the user did not explicitly consent to repository-wide, staged-diff, or history scanning. In a security tool, over-broad triggering is risky because scans may touch highly sensitive material and produce side effects such as hook installation or config changes if command selection is ambiguous.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal