Back to skill

Security audit

NightPatch

Security checks across malware telemetry and agentic risk

Overview

NightPatch is purpose-aligned automation, but it asks for unattended authority to read shell history, change shell startup files, move files, and delete logs with incomplete scoping and rollback controls.

Install only after reviewing the shell scripts and source. Run ./start.sh dry-run first, do not enable cron until you are comfortable with real unattended changes, back up ~/.bashrc and important workspace files, and avoid using it where shell history or project files contain secrets.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (21)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The guide makes a misleading safety claim that the skill 'will not modify system files' while immediately documenting writes to shell startup files and deletion of logs. Even if these are user-scoped files rather than OS binaries, they affect execution environment and persistence, so the contradiction can cause users to underestimate risk and approve unsafe installation or automation.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The documentation makes contradictory claims about log handling: it says log files are only read for analysis, but also states that old logs may be deleted. This inconsistency weakens trust in the stated safety model and can mask broader-than-advertised file modification behavior, especially in an automated overnight skill that runs unattended.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The help text explicitly promises that `--test` will not actually execute, but `main()` still runs patch selection, execution, report writing, and audit logging when `--test` is supplied. In an automation skill that performs changes, this mismatch can cause users or calling agents to invoke a supposedly safe dry-run mode and still modify the environment or leave persistent artifacts.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The supposed command-existence safety check uses `which ... || true`, which suppresses failure and prevents the check from rejecting invalid or malicious input. This creates a false sense of validation around shell-executed data and weakens a control that operators may rely on before persistent shell modification occurs.

Context-Inappropriate Capability

High
Confidence
92% confidence
Finding
This code executes shell commands derived from opportunity fields, including alias lookup and command validation, without a narrowly scoped manifest purpose or strong input constraints. In skill/agent contexts, accepting structured but potentially adversarial input makes shell access especially dangerous because it can become command injection or unauthorized system manipulation.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The module persists aliases into the user's `.bashrc` based on untrusted opportunity data, altering future shell behavior beyond the current run. Because `suggested_alias` and `original_command` are interpolated into shell/config syntax, this can enable persistent command injection, environment tampering, or stealthy user-impacting changes.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The Markdown report unconditionally states that all security checks passed, even though no verification logic or audit result is consulted before emitting that status. This can mislead operators into trusting unsafe automated patch activity, causing failed, skipped, or policy-violating runs to be treated as compliant.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The HTML report also hard-codes a green 'all security checks passed' status without evaluating any real security controls. In a system that performs autonomous remediation, inaccurate security attestations can conceal unsafe behavior and undermine operator review and incident response.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The script labels this path as a 'dry-run' and 'detection-only' mode, but it still loads and executes application code via Node.js and invokes detector logic. If any detector performs filesystem writes, shell commands, network access, or other side effects during detection, users will be misled into running active code when they expected a safe preview.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code reads the user's shell history file by default (~/.bash_history), which can contain sensitive commands, tokens, credentials pasted into shells, internal hostnames, and operational details. In an agent skill context, silently collecting this data without explicit consent or clear disclosure expands access to sensitive local information beyond what users may expect.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code modifies `.bashrc` without any explicit warning or confirmation, creating a persistence and transparency problem. Users may be unaware their shell startup configuration was changed, which increases the chance of stealthy misuse and complicates incident response.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The file move logic changes user files immediately and can rename on conflict, but it does so without explicit confirmation or a robust transactional rollback. In an agent setting, untrusted or mistaken opportunity inputs could reorganize arbitrary files and disrupt user workflows or hide data unexpectedly.

Missing User Warnings

High
Confidence
99% confidence
Finding
This function irreversibly deletes log files and even states rollback is impossible, yet performs the action without pre-execution warning or confirmation. In hostile or malformed input scenarios, this can destroy forensic evidence, operational logs, or important user data with no recovery path.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The manual run command directly executes the main patch workflow without any confirmation, warning, scope preview, or summary of what may be modified. In a self-patching skill, that increases the chance of unintended system or repository changes, especially when users may assume the command is routine or reversible.

Ssd 3

Medium
Confidence
88% confidence
Finding
Audit logging writes raw JSON details to a plaintext log under the current workspace, which can include filenames, commands, actions, and other operational data. In agent environments, these logs may expose sensitive workspace structure or user activity to other users, tools, backups, or later prompts that read local files.

Ssd 3

Medium
Confidence
96% confidence
Finding
On failure, the code logs full exception messages and stack traces both to console and to the audit log, which can reveal absolute paths, configuration contents, filenames, and runtime context. In shared or persistent environments, this creates an information disclosure risk that can help attackers map the system or access sensitive project metadata.

Self-Modification

High
Category
Rogue Agent
Content
# NightPatch Skill v1.0.2 - 发布说明

## 🎯 技能概述
**夜间自动修补技能** - 基于虾聊社区热门帖子「试了一下「夜间自动修补」,Master 早上起来直接用上了」理念开发。
Confidence
78% confidence
Finding
Patch Skill

Self-Modification

High
Category
Rogue Agent
Content
# NightPatch Skill - 夜间自动修补

基于虾聊社区热门帖子「试了一下「夜间自动修补」,Master 早上起来直接用上了」的理念开发。
Confidence
91% confidence
Finding
Patch Skill

Unpinned Dependencies

Low
Category
Supply Chain
Content
"author": "OpenClaw Assistant",
  "license": "MIT",
  "dependencies": {
    "yaml": "^2.3.0",
    "chalk": "^4.1.2"
  },
  "engines": {
Confidence
86% confidence
Finding
"yaml": "^2.3.0"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"license": "MIT",
  "dependencies": {
    "yaml": "^2.3.0",
    "chalk": "^4.1.2"
  },
  "engines": {
    "node": ">=14.0.0"
Confidence
83% confidence
Finding
"chalk": "^4.1.2"

Known Vulnerable Dependency: yaml==2.3.0 — 1 advisory(ies): CVE-2026-33532 (yaml is vulnerable to Stack Overflow via deeply nested YAML collections)

Low
Category
Supply Chain
Confidence
92% confidence
Finding
yaml==2.3.0

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
src/patch-executor.js:171

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
tests/basic.test.js:40