Back to skill

Security audit

PromptDome

Security checks across malware telemetry and agentic risk

Overview

PromptDome behaves like a disclosed prompt-injection scanning integration, but users should understand it sends message content to an external API and stores an API key locally.

Install only if you are comfortable with incoming messages and manually scanned content being sent to PromptDome or your configured self-hosted endpoint. Use a dedicated revocable API key, protect ~/.openclaw/openclaw.json and ~/.openclaw/logs, and periodically remove logs if they may contain sensitive snippets.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill advertises and instructs use of network access, shell commands, environment variables, and persistent file writes, but does not declare corresponding permissions. This undermines informed consent and security review because operators may install a skill that can modify local OpenClaw state and contact external services without an explicit permission model.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The script persists the PromptDome API key into ~/.openclaw/openclaw.json, creating long-lived credential storage beyond the narrowly described install steps. Storing a secret in a general-purpose config file increases exposure to local compromise, backup leakage, accidental check-in, or access by other OpenClaw components that can read the shared config.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The instructions direct users to save the PromptDome API key into ~/.openclaw/openclaw.json for persistent reuse, but do not clearly warn that this stores a long-lived credential on disk. Persisted secrets increase exposure to local compromise, accidental backup leakage, config sharing, or later exfiltration by other tools/plugins with filesystem access.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The hook is documented to send every incoming message to a third-party API before the model processes it and to log scan results locally, but it provides no user-facing disclosure, consent mechanism, or clear data-handling boundaries. In a security gateway that operates on all inbound messages, this can expose sensitive prompts, credentials, PII, or proprietary data to an external service and local disk without users realizing their content is being transmitted and retained.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The hook sends every qualifying incoming message to a third-party PromptDome API, including up to 50,000 characters of raw content, before the model processes it. In a messaging/agent environment this can include secrets, PII, internal data, or regulated content, and there is no consent gate, minimization beyond length truncation, or clear in-product disclosure at the transmission point. The skill context makes this more dangerous because it is designed to auto-scan all inbound messages, turning occasional exposure into systematic exfiltration of user content to an external service.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The log entry records sender, channel, message ID, findings, and an 80-character preview of the message content to a local file under the user's home directory. Even though this is local rather than remote, it can still expose sensitive content and metadata to other local users, backup systems, support tooling, or later compromise, especially because the preview may contain credentials, PII, or confidential prompts. The skill context increases risk because this hook runs automatically on every received message, creating continuous sensitive logging by default.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The tool transmits the full scanned text and optional source metadata to a third-party service at PromptDome, which can include sensitive user prompts, documents, tool output, or raw HTML. Although this is consistent with the tool's stated purpose, the implementation provides no runtime consent gate, redaction, allowlist, or prominent user-facing disclosure before exfiltrating potentially confidential data off-platform.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script stores the API key without an explicit warning that a credential will be written to disk. This is dangerous because users may assume the key is used ephemerally for setup/testing, while in reality it becomes a persistent secret on the local system, increasing the chance of unintentional disclosure.

Session Persistence

Medium
Category
Rogue Agent
Content
```bash
# Hook (auto-scanning)
mkdir -p ~/.openclaw/hooks/promptdome-gate
cp skills/promptdome/hook/HOOK.md   ~/.openclaw/hooks/promptdome-gate/
cp skills/promptdome/hook/handler.ts ~/.openclaw/hooks/promptdome-gate/
Confidence
82% confidence
Finding
mkdir -p ~/.openclaw/hooks/promptdome-gate cp skills/promptdome/hook/HOOK.md ~/.openclaw/hooks/promptdome-gate/ cp skills/promptdome/hook/handler.ts ~/.openclaw/hooks/promptdome-gate/ # Plugin (exp

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
hook/handler.ts:16

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
plugin/index.ts:15