Signalradar

Security checks across malware telemetry and agentic risk

Overview

SignalRadar is a coherent market-monitoring skill, but it automatically creates background monitoring and stores messaging route data in ways users should review first.

Install only if you are comfortable with it creating scheduled background checks, writing state under ~/.signalradar, and sending alert payloads to configured webhooks or OpenClaw routes. Review schedule status after setup and use the provided schedule disable command if you do not want ongoing monitoring.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (12)

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The protocol explicitly supports outbound message delivery through stored reply-route metadata and background push behavior, which extends the skill from passive monitoring into active message routing. That capability is not inherently malicious, but persisting routing targets and enabling scheduled sends increases privacy and misuse risk if the route file is stale, over-broad, or tampered with.

Intent-Code Divergence

Low

Confidence: 78% confidence
Finding: The protocol says reply-route capture happens on any CLI invocation, which can include read-only actions such as showing market info from a shared URL. That means a nominally non-mutating action can still persist communication routing state, surprising users and creating a side effect inconsistent with least-astonishment and least-privilege expectations.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The skill captures OpenClaw reply-routing metadata from environment variables and writes it to disk for later reuse without explicit user approval. Persisting channel, target, account, and thread identifiers creates a durable messaging capability that can be reused by background jobs to send messages outside the immediate user interaction.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The skill can create and remove persistent background jobs via crontab and OpenClaw cron, giving it host-level persistence beyond the original session. In an agent-skill context, automatic scheduler management is dangerous because it enables continued execution and outbound messaging after the user interaction ends.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: When the watchlist is empty, invoking add or run can divert into onboarding flows that steer the user toward adding preset markets unrelated to an explicitly requested URL. That violates the declared behavior of only showing market info without auto-adding when intent is ambiguous, increasing the chance of unrequested state changes and background monitoring.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The onboarding flow is designed to populate the watchlist with preset markets unrelated to a user-specified target, then record baselines and enable auto-monitoring. In a monitoring skill, this creates unsolicited durable state, background execution, and future outbound notifications, which is materially more dangerous than a simple informational preview.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The documentation states that the tool will attempt to auto-enable background monitoring after a normal user action, including use of system crontab. Creating scheduled jobs is a persistence-affecting system change, and doing so automatically without an explicit warning/consent step can surprise users and expand the blast radius if the skill is misused or misconfigured.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The webhook examples encourage sending alerts to third-party HTTP endpoints such as Slack, Telegram, and Discord, but the docs do not warn that monitored market data, metadata, and possibly identifiers will leave the local environment. This creates privacy and data-handling risk, especially if users paste sensitive webhook URLs or assume alerts remain local.

Natural-Language Policy Violations

Medium

Confidence: 88% confidence
Finding: The skill persists an inferred language preference into user config automatically after an add/finalize action. While low severity, silently storing derived user preferences without opt-in can violate user expectations and create unnecessary persistent profiling data.

Missing User Warnings

Medium

Confidence: 85% confidence
Finding: Persisting reply-route metadata on disk without an explicit warning can expose communication identifiers and create a durable delivery channel that outlives the initiating session. If another local process or user can read or modify the file, alerts may be redirected, privacy may be affected, or notifications may be sent to unintended recipients.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: Reply-route metadata is harvested from environment variables and persisted silently, which is a transparency and consent failure. Users may not realize the skill has stored identifiers enabling later message delivery, especially from scheduled runs outside the current session.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill can send messages over the network through the OpenClaw CLI using previously stored route metadata without a fresh user-facing warning at send time. In combination with scheduling, this allows silent outbound communication from background runs, reducing user awareness and control.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal