Lark Openclaw Bridge

Security checks across malware telemetry and agentic risk

Overview

The skill clearly saves memos locally, but its suggested shell command can treat memo text as executable shell syntax.

Install only if you are comfortable with notes being saved as plaintext under ~/.memo. Before using it with arbitrary pasted content, the write step should be changed to a safe file-writing method or a safely quoted data path so memo text cannot execute shell commands.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill persists raw user-provided content into local files under ~/.memo without any disclosure, confirmation, or retention warning. This creates a privacy and data-handling risk because users may provide sensitive information believing it is only being processed transiently, while the skill silently stores it on disk for future access.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal