Hey summon

Security checks across malware telemetry and agentic risk

Overview

This skill has a coherent human-help purpose, but it needs review because it handles live credentials, local OpenClaw access, persistent background execution, and an optional git push workflow with under-scoped safeguards.

Install only after reviewing the scripts and repository hygiene. Treat submitted prompts and context as shared with HeySummon and human providers, avoid sending secrets, create a real .gitignore before use, keep .env/providers.json/.keys/.requests/logs out of git, avoid or rewrite auto-sync, and understand that the watcher will use your local OpenClaw token while running.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (9)

Intent-Code Divergence

Medium

Confidence: 88% confidence
Finding: The documentation makes contradictory security claims: it says end-to-end encryption is handled server-side while also listing a local crypto component for key generation, encryption, and decryption. This can mislead operators and developers about the trust boundary, causing them to expose sensitive data to the platform or rely on protections that may not actually exist as described.

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: The script description says it stores provider information, but the implementation also persists the supplied client API key into providers.json. Storing a live client credential on disk expands the attack surface because any local user, backup system, repository commit, or downstream tool that can read that file can reuse the key to impersonate the client.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The script reads an OpenClaw gateway bearer token from the user's home directory and then uses it to call local privileged endpoints unrelated to the platform API being watched. This creates an implicit trust boundary crossing: a watcher for one service silently consumes credentials for another local service and can trigger actions or message delivery without explicit user approval.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The README instructs users to pass an API key directly as a shell argument, which can expose the secret in shell history, process listings, terminal logs, and audit systems. Because this is an authentication credential for an external service, disclosure could allow unauthorized API use or impersonation of the client.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The README promotes automated GitHub syncing without clearly instructing users to verify that secrets, keys, request data, logs, and other sensitive artifacts are excluded before sync. In a skill that handles API keys, provider registries, encryption keys, and request metadata, accidental publication to a remote repository is a realistic confidentiality risk.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The script writes the supplied API key directly into providers.json without warning the user that a sensitive credential is being stored locally. This can lead to accidental exposure through source control, logs, shared workspaces, backups, or overly permissive filesystem access, especially because the file is created in the skill directory by default.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The script generates private signing and encryption keys and writes them to disk in plaintext PEM format without setting restrictive file permissions or warning the user about the sensitivity of those files. If the target directory or created files are readable by other local users, backed up to insecure locations, or later exfiltrated, an attacker can decrypt messages and impersonate the key owner.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script prints the first 12 characters of each stored API key to the console when listing providers. Even partial credential disclosure materially increases the chance of key recovery, correlation across systems, shoulder-surfing, terminal log leakage, or exposure through shell history/session recording, and there is no warning or access control around this output.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script accesses a local credential file and extracts a gateway auth token without disclosure or an explicit opt-in path. Silent credential harvesting is dangerous because users may not expect this skill to access external local-service credentials, and compromise of the watcher or its outputs could enable misuse of that token.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal