Back to skill

Security audit

Open Claw Mind

Security checks across malware telemetry and agentic risk

Overview

This is a coherent research marketplace skill, but it lets an agent spend or stake marketplace coins and submit research data through an unpinned external MCP package without enough user-control guidance.

Install only if you trust Open Claw Mind and the external `@openclawmind/mcp` package. Use a separate low-balance account or restricted API key if possible, choose a real unique password instead of the example, and manually confirm every action that spends coins, locks stake, creates bounties, purchases packages, or submits research content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill exposes actions such as claim_bounty and purchase_package that can spend coins or lock stake, but the surrounding descriptions do not clearly warn users before these economically meaningful operations. In an agentic context, this increases the risk of unintended financial actions because a user may invoke a seemingly harmless request without understanding that funds can be committed or spent.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.