OpenClaw Elite Watcher

Security checks across malware telemetry and agentic risk

Overview

This skill claims to provide live OpenClaw intelligence, but it only writes a canned report with unsupported claims to a hard-coded local folder.

Review carefully before installing. There is no evidence of malware, credential theft, exfiltration, or destructive behavior, but the skill materially overstates its capabilities and may create misleading local reports in an unexpected path. Treat any generated intelligence as unverified unless the publisher adds real source collection, provenance, and a user-controlled output location.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (4)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill advertises monitoring and reporting behavior yet declares no permissions despite requiring network access and file writing capabilities. This creates a transparency and policy-enforcement gap: users and platforms cannot accurately assess or constrain what the skill can access, increasing the chance of unauthorized outbound requests or local filesystem modification.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 94% confidence
Finding: The stated purpose is live ecosystem intelligence, but the detected behavior includes writing markdown to a fixed local path and producing hardcoded content unrelated to retrieved data. That mismatch is dangerous because it can mislead users about what the skill is actually doing, conceal unwanted local side effects, and enable deceptive output that appears data-driven when it is not.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The skill claims to monitor external sources and distill live intelligence, but the implementation only writes a fabricated, hard-coded report. This is dangerous because users may act on false intelligence, believing the report reflects real GitHub/X activity when no fetching, verification, or analysis occurs.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The tracking list strongly implies that those sources are actively monitored, but the code never uses the list and instead emits canned statements about developer activity. In a security-sensitive or trading/intelligence context, this kind of deceptive behavior can mislead operators into trusting unsupported claims.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal