Video Messages from your openclaw

Security checks across malware telemetry and agentic risk

Overview

This skill openly creates avatar videos and sends them as Telegram video notes, with no evidence of hidden behavior or unrelated data access.

Install this only if you want your agent to create and send Telegram video notes. Verify the avatarcam npm package name and publisher before installing, and review the message content and destination before asking the agent to send.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The workflow explicitly instructs the agent to generate media and immediately transmit it via the `message` tool, then return `NO_REPLY`, without requiring an explicit confirmation step or a user-facing notice that content will be sent to Telegram. In a messaging skill, automatic sending is contextually expected, but suppressing any visible confirmation increases the risk of unintended transmission of generated or transformed user content.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal