Back to skill

Security audit

Coding Agent

Security checks across malware telemetry and agentic risk

Overview

This skill is a real coding-delegation helper, but it encourages broad auto-approved agent execution and remote/host side effects that users should review before installing.

Install only if you intentionally want OpenClaw to launch other coding agents on your projects. Prefer sandboxed or approval-gated modes, avoid yolo and permission-bypass modes except in disposable worktrees, keep secrets out of the working directory, monitor background sessions, and manually review any commit, push, PR creation, GitHub comment, or OpenClaw event before allowing it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill explicitly tells delegated background agents to execute `openclaw system event`, which grants them a host-side signaling/orchestration action beyond merely editing code in a project directory. That expands the delegated agent's authority and creates a side-effect channel that can be abused for spoofed completion signals, unintended wake events, or triggering follow-on automation.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The document claims the delegated agent sees only the specified `workdir`, but later workflows instruct it to push branches, create PRs, and interact with remotes, which are external side effects not bounded by local directory scope. This misleading confinement claim can cause operators to underestimate the agent's ability to exfiltrate code or modify remote systems.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill normalizes `--permission-mode bypassPermissions` for Claude and presents dangerous execution modes as standard usage with minimal risk framing. That encourages operators to hand broad, unreviewed authority to an autonomous coding agent, increasing the chance of unintended file changes, command execution, or data exposure.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The PR review workflow includes posting review output to GitHub without warning that the content may be sent to an external/public service. An operator may unknowingly publish sensitive code details, internal reasoning, or erroneous findings outside the local environment.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The auto-notify workflow instructs a background agent to emit system events but does not warn about the external side effects or trust implications of allowing the delegated agent to signal the host. This can create misleading state changes, noisy automation, or abuse of a privileged orchestration pathway.

Ssd 1

High
Confidence
98% confidence
Finding
The skill endorses permission-bypass mode for Claude Code as the normal path, effectively granting the delegated agent elevated authority without interactive checks. In the context of a coding agent that can explore repositories and run commands, this materially increases the blast radius of prompt injection, mistakes, or malicious task content.

Ssd 1

High
Confidence
96% confidence
Finding
The rules section repeats bypassed-permission execution as standard behavior, reinforcing a dangerous norm rather than treating it as an exception. Repetition in operational rules makes unsafe escalation more likely to be applied broadly and automatically.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.