Morestore

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed MoreStore integration that uses credentials and account actions for its stated marketplace and photo-generation workflows.

Install only if you want an agent to access your MoreStore account. Use a unique MoreStore password, avoid sharing confidential deal terms or regulated data in campaigns or messages, review generated campaign fields before approving creation, and persist the API key only if you need ongoing automation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Rogue AgentSelf-Modification, Session Persistence
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Session Persistence

Medium

Category: Rogue Agent
Content: ### Step 2 — Save the API key to OpenClaw config (optional; confirm first) **Only after the user confirms** they want persistent storage: read `~/.openclaw/openclaw.json`. If the file does not exist, create it as `{}`. Merge the following into the JSON (preserving any existing keys):
Confidence: 84% confidence
Finding: create it as `{}`. Merge the following into the JSON (preserving any existing keys): ```json { "skills": { "entries": { "morestore": { "enabled": true, "env": {

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal