Security Auditor for OpenClaw

Security checks across malware telemetry and agentic risk

Overview

This is a mostly coherent local security scanner, but its dashboard and persistent trust controls need Review before installation.

Install only if you want a privileged local auditing tool that can read skill files and write local audit state. Avoid leaving the dashboard running while browsing untrusted sites, review the whitelist regularly, review any SKILL.patched.md before using it, enable background monitoring only intentionally, and do not run the bundled sample skill scripts.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (35)

Tainted flow: 'req' from os.environ.get (line 35, credential/environment) → urllib.request.urlopen (network output)

Critical

Category: Data Flow
Content: ) try: with urllib.request.urlopen(req) as resp: print(f"Sync complete: {resp.status}") except Exception as e: print(f"Sync failed: {e}", file=sys.stderr)
Confidence: 99% confidence
Finding: with urllib.request.urlopen(req) as resp:

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The README states the tool is 'Read-only' and 'never modifies or deletes skill files,' but elsewhere documents features like `--fix` generating patched manifests and whitelist management that write files. This kind of contradictory safety claim can mislead users into granting trust or running the tool under false assumptions about side effects.

Intent-Code Divergence

High

Confidence: 96% confidence
Finding: The README documents an auto-fix feature that generates modified manifests while also presenting the tool as read-only. In a security tool, inaccurate claims about whether files are modified undermine informed consent and can cause unsafe operational assumptions in CI, shared repos, or privileged environments.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The skill claims static-only analysis, yet its interface documents remediation actions that modify skills and filesystem state. That contradiction can lead to unexpected mutation of installed skills and undermines the safety boundary implied by 'audit-only' behavior.

Description-Behavior Mismatch

Low

Confidence: 88% confidence
Finding: The manifest frames the skill as a scanner/reporter, but the documentation also instructs users to run it as a long-lived background watcher. Continuous monitoring materially changes the risk profile by creating persistent activity and ongoing access to skill directories.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The skill requests write:filesystem even though the primary advertised role is audit/reporting. Unnecessary write access allows unintended or malicious modification of user files, audit state, or other skills if the skill is misused.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The skill requests write:filesystem even though the primary advertised role is audit/reporting. Unnecessary write access allows unintended or malicious modification of user files, audit state, or other skills if the skill is misused.

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: The documentation says analysis must never modify skill files, but the CLI advertises a --fix mode that patches permissions. This is a direct safety-contract violation that can cause users to trust the skill as non-mutating when it is capable of changing installed artifacts.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The file behaves like a data collection and upload utility, not a local security-auditing component. That mismatch is especially dangerous because users would invoke a 'security-auditor' skill expecting defensive analysis, while the code instead reads arbitrary files and transmits them off-host.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: Uploading local file contents to a remote server is not justified by the stated purpose of auditing installed skills, making this behavior highly suspicious and harmful in context. Because the preceding logic recursively reads files from a user-controlled directory, exploitation could expose large amounts of sensitive personal or business data.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: Reading a backup token from the environment is unrelated to a skill whose advertised role is security auditing of installed skills. In context, this makes the code more dangerous because it suggests secret collection under false pretenses and feeds directly into the outbound upload path.

Scope Creep

Critical

Confidence: 100% confidence
Finding: The code contacts an external internet host even though the manifest permits only localhost networking, which is a direct policy violation. In this context, the unauthorized destination is used to transmit collected local files and a token, greatly increasing the severity because it bypasses stated trust boundaries.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The script transmits telemetry to an external domain even though the declared skill purpose is security auditing, not analytics collection. This creates unnecessary data egress, may leak filesystem context such as target paths, and is especially suspicious because the manifest only declares localhost network access.

Context-Inappropriate Capability

Critical

Confidence: 100% confidence
Finding: The code constructs and executes a destructive shell command, `rm -rf ${target}/*`, against a user-controlled path. In a skill advertised as a security auditor, destructive deletion is unrelated to stated functionality and can cause irreversible loss of arbitrary files, with added risk of shell injection due to unsanitized command construction.

Description-Behavior Mismatch

Critical

Confidence: 99% confidence
Finding: There is a severe mismatch between the manifest description of an autonomous security scanner and the actual implementation, which performs file deletion and external telemetry. This deception makes the behavior more dangerous because users may grant powerful permissions expecting auditing, while the code performs unrelated destructive actions.

Scope Creep

High

Confidence: 98% confidence
Finding: The code makes an outbound request to `https://analytics.example.com`, which exceeds the manifest's declared `network:localhost` permission boundary. This indicates either undeclared capability use or intentional permission bypass behavior, both of which undermine trust and can enable covert exfiltration.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The skill is presented as an auditor, but it also supports modifying local state via report saving, trust DB updates, whitelist reads, and especially `--fix` patch generation that writes altered `SKILL.md` content. For a security scanner, write-side effects increase risk because running an audit can change the environment and other skills, which is beyond pure read-only analysis.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: Automatic metadata patching (`--fix`) is an additional capability beyond scanning/reporting and can alter other installed skills. In a security context, auto-rewriting security metadata is sensitive because an auditor becomes a mutator, which could damage configs or create unsafe trust in automated changes.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The dashboard invokes child_process.execSync to launch a browser via a shell command. Although the URL is intended to be local, the command string incorporates PORT from CLI/environment input and routes through platform shells, creating unnecessary command-execution risk for a skill whose permissions already include exec:shell. In this context, convenience browser opening is not essential to auditing and expands the attack surface.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: This file exposes unauthenticated localhost HTTP endpoints that do more than reporting: they modify persistent whitelist state via POST /api/whitelist/add and /api/whitelist/remove, while also enabling permissive CORS with Access-Control-Allow-Origin: *. A local web page or local malicious process could drive these endpoints and silently alter trust decisions, weakening the scanner's future results by marking risky skills as trusted.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: This script implements persistent whitelist state that can suppress future alerts for named skills, which meaningfully alters security outcomes beyond passive auditing/reporting. In a security-auditor skill, adding trust exceptions is especially sensitive because it creates a mechanism by which risky skills may be excluded from scrutiny or warning visibility, reducing defense-in-depth and enabling silent persistence of unsafe skills.

Intent-Code Divergence

Low

Confidence: 86% confidence
Finding: The docstring understates the security significance of the feature by describing it as tracking trusted skills while also noting that it suppresses future alerts. Misleading or incomplete framing around alert suppression can cause operators to enable a bypass without appreciating that it weakens monitoring, making social engineering and unsafe trust decisions more likely.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: An auto-fix feature that writes patched manifests is a material side effect, and the README does not prominently warn users to review generated changes before relying on them. Automated security 'fixes' can remove needed permissions, create broken configs, or be mistakenly applied in production without human validation.

Missing User Warnings

Medium

Confidence: 85% confidence
Finding: The description does not warn users that audit reports are written to disk, which affects privacy and persistence expectations. Silent report creation can expose sensitive scan contents or filesystem paths to other local processes or future users of the machine.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill description omits warnings about shell execution and continuous monitoring guidance, despite both materially increasing risk. Missing disclosure makes informed consent difficult and may cause users to invoke a more powerful tool than they realize.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal