Skill Dependency Resolver

Security checks across malware telemetry and agentic risk

Overview

This skill is a local tool for reading skill requirements files and generating a merged requirements file, with no evidence of hidden network, credential, destructive, or privilege behavior.

Install only if you want a local CLI for merging OpenClaw skill requirements. Choose the skills directory and output path deliberately, since the output file can be overwritten, and review the generated requirements file before using it with pip.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The skill description and details describe a broadly-scoped capability that can scan all installed skills and generate a merged requirements file, but they do not define clear invocation boundaries, user confirmation requirements, or exclusions for sensitive directories. In an agent setting, overly broad trigger criteria can cause the skill to run in unintended contexts, exposing dependency metadata across projects or modifying package plans without explicit user intent.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal