Back to skill

Security audit

OpenClaw Profanity Plugin

Security checks across malware telemetry and agentic risk

Overview

This is a coherent profanity-moderation skill with expected moderation and logging cautions, but no artifact-backed evidence of hidden or malicious behavior.

Before installing, verify the npm package and linked repository are the intended ones, pin the dependency version, and deploy the bot with least-privilege moderation permissions. If you enable logging, moderator notifications, message deletion, or automatic bans, define clear review, retention, redaction, and appeal rules for your community.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation explicitly recommends logging profanity violations and message context, but provides no warning about storing user-generated content, retention limits, redaction, or access controls. In a moderation plugin, logged violations can contain sensitive or regulated personal data, so normalizing logging without privacy guidance can lead to unnecessary exposure or compliance issues.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.