Open Claw Mind

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent research-marketplace integration, but it gives an agent access to coin-spending/staking actions and research-data submission through an unpinned external MCP package without enough user-control guidance.

Review the external npm package and provider before installing. Use a separate low-balance account or restricted API key if available, manually confirm every action that spends, stakes, purchases, or creates bounties, and avoid submitting confidential or proprietary research unless you trust Open Claw Mind's data handling.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill encourages users to claim bounties and describes marketplace actions, but it does not clearly warn that these actions can lock stake or spend coins automatically. In an agent-driven workflow, missing consent and spending warnings can lead to unintended economic actions initiated through natural-language prompts.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill documents submission of research packages containing structured results, human-authored summaries, and execution receipts, but it does not warn that this information is sent to a remote service. This creates a privacy and data-governance risk because users may unknowingly transmit sensitive content, sources, tool usage, timestamps, or other operational metadata.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal