Security audit

OpenClaw Skills Creator

Security checks across malware telemetry and agentic risk

Overview

This is a coherent skill-authoring helper that creates, edits, validates, and packages skill files without hidden network, credential, or destructive behavior.

Install this only if you want Codex to help author or revise OpenClaw skills. Use explicit target paths, review SKILL.md and any generated scripts before installing or publishing, and inspect packaged .skill archives if the source directory may contain private files. VirusTotal was pending and static scan was clean, so they did not add artifact-backed negative evidence.

SkillSpector

By NVIDIA

Vulnerability Patterns

Rogue AgentSelf-Modification, Session Persistence
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 95% confidence
Finding: The skill instructs the agent to read environment variables, read and write files, invoke shell commands, and potentially access networked resources via bundled tooling, but it declares no permissions or equivalent capability constraints. This creates an under-specified trust boundary: a user or orchestrator may activate the skill without realizing it can perform privileged actions like filesystem modification and command execution.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 89% confidence
Finding: The description frames the skill as creating and editing skills, but the body also directs packaging, validation, and archive-handling behavior that expands operational scope. That mismatch can cause unintended invocation in contexts where a user expects simple documentation edits, while the skill may proceed to run scripts, validate structures, or create distributable archives.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The trigger phrases are broad enough to match generic requests such as 'review the skill' or 'clean up the skill,' which can activate a skill that has write and shell-execution guidance. Over-broad activation increases the chance that a high-capability skill is selected inappropriately, leading to unnecessary file modification or execution of bundled scripts.

Self-Modification

High

Category: Rogue Agent
Content: 1. Understand the skill with concrete examples 2. Plan reusable skill contents (scripts, references, assets) 3. Initialize the skill (run init_skill.py) 4. Edit the skill (implement resources and write SKILL.md) 5. Package the skill (run package_skill.py) — **optional, only when user explicitly requests or when publishing to ClawHub** 6. Iterate based on real usage
Confidence: 93% confidence
Finding: write SKILL

Self-Modification

High

Category: Rogue Agent
Content: If you used `--examples`, delete any placeholder files that are not needed for the skill. Only create resource directories that are actually required. #### Update SKILL.md **Writing Guidelines:** Always use imperative/infinitive form.
Confidence: 94% confidence
Finding: Update SKILL

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.