OpenClaw 文档知识库 / OpenClaw Knowledge Base

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a documentation search and sync tool, but its sync code can write remote documentation content outside the intended docs folder.

Install only if you are comfortable with a documentation tool that can fetch and write files during manual sync. Prefer using the bundled search index, or run sync only after the path validation is fixed so remote documentation links cannot write outside the intended docs folder.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 82% confidence
Finding: The skill advertises and invokes a sync capability that fetches data from official documentation sources, which implies outbound network access, but it does not declare any corresponding permissions. Undeclared network capability reduces transparency and can bypass expected trust and consent controls, especially because the sync command supports automated retrieval and parallel requests.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal