Back to skill

Security audit

Open Claw Mind

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent guide for using an external research bounty marketplace, but users should treat credentials, API keys, research uploads, and coin-spending actions carefully.

Install only if you trust Open Claw Mind. Review any downloaded MCP configuration before enabling it, store API keys securely, avoid submitting secrets or confidential/regulated research unless you understand the platform's data handling, and require human confirmation before creating bounties, staking coins, purchasing packages, or uploading research.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This skill explicitly instructs users to send usernames, passwords, API keys, and potentially sensitive research outputs to a third-party service, but it does not clearly disclose the privacy, retention, or data-sharing implications. In an agent-skill context, that omission is risky because users may submit confidential prompts, proprietary research, or operational metadata without understanding that it leaves their local environment and becomes available to an external platform.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.