Back to skill

Security audit

Discord Output Metrics Footer

Security checks across malware telemetry and agentic risk

Overview

This skill does what it advertises, but it needs review because it reads a local Codex OAuth token and uses it for automatic ChatGPT quota checks.

Review the bundled index.ts before installing. Install only if you are comfortable with an OpenClaw Discord plugin reading your local OpenAI Codex OAuth profile and calling chatgpt.com for quota; avoid enabling it in sensitive workspaces unless you accept that credential-backed lookup.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill explicitly describes a plugin that uses live OpenAI Codex OAuth usage and plugin hooks, which implies network-capable behavior, but the skill metadata does not declare any permissions or constraints around that capability. Undeclared network access is risky because users may install the skill without understanding that it can reach external services or handle remote data, reducing transparency and weakening trust and review controls.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The plugin does more than local Discord footer formatting: it reads a local auth file to obtain an OAuth access token and then performs an external request to ChatGPT's backend API. Even if intended to fetch quota information, this expands the trust boundary, silently uses sensitive local credentials, and creates a data-flow from local secrets to the network that users may not expect from a display-only footer skill.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code explicitly reads stored OAuth credentials from ~/.openclaw/.../auth-profiles.json and extracts a Codex access token for reuse. Accessing and repurposing bearer tokens outside the normal authentication flow is dangerous because any plugin with this behavior can act on behalf of the user against external services, and the token handling occurs without clear consent or containment.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The plugin reads an access token from local storage and sends it in an Authorization header to an external endpoint with no user-facing disclosure in the code path. Although HTTPS is used and the destination appears related to the service, the security issue is the undisclosed use of a sensitive token by a UI-formatting plugin, which undermines informed consent and increases the blast radius if the plugin is modified, abused, or the endpoint changes.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation explicitly describes reading a local auth profile store to obtain an OAuth access token and then using it in a remote request to a third-party endpoint, but it does not clearly require explicit user consent, disclosure, or secure handling constraints beyond not printing the token. In an extension that runs during message processing, this creates a real credential-access and data-transmission risk: users may unknowingly install functionality that accesses sensitive local credentials and sends authenticated requests off-box.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.potential_exfiltration

Sensitive-looking file read is paired with a network send.

Warn
Code
suspicious.potential_exfiltration
Location
assets/extension-template/index.ts:120