Back to skill

Security audit

Signalradar

Security checks across malware telemetry and agentic risk

Overview

The skill mostly does what it says, but it automatically creates persistent background monitoring and stores routing data for later message delivery.

Install only if you are comfortable with automatic recurring checks after adding your first market. Review the schedule immediately, use schedule disable if you do not want persistence, and configure only trusted webhook URLs or file paths because alert payloads and routing metadata are stored or delivered outside the chat.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
outcome["attempted"] = True
    try:
        result = subprocess.run(cmd, capture_output=True, text=True, timeout=30)
        if result.returncode == 0:
            outcome["sent"] = True
            outcome["status"] = "delivered"
Confidence
89% confidence
Finding
result = subprocess.run(cmd, capture_output=True, text=True, timeout=30)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
try:
            with os.fdopen(fd, "w") as f:
                f.write(content)
            result = subprocess.run(
                ["crontab", tmp], capture_output=True, text=True, timeout=10
            )
            if result.returncode == 0:
Confidence
86% confidence
Finding
result = subprocess.run( ["crontab", tmp], capture_output=True, text=True, timeout=10 )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"--json",
        ]
        try:
            result = subprocess.run(
                cmd, capture_output=True, text=True, timeout=30
            )
            if result.returncode == 0:
Confidence
88% confidence
Finding
result = subprocess.run( cmd, capture_output=True, text=True, timeout=30 )

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The skill auto-enables background monitoring during first add/onboarding, which can install persistent schedulers without a dedicated, explicit scheduling consent step. For a prediction-market monitor, silently turning on recurring background execution is riskier than the manifest suggests and can surprise users with ongoing system changes and outbound activity.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
This block manages both host crontab and OpenClaw cron jobs, giving the skill persistence and recurring execution capability beyond simple watchlist management. In context, that makes the skill materially more dangerous because it can continue operating and delivering messages after the initiating interaction ends.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The code captures and stores reply-route metadata, then later uses it to send arbitrary outbound messages through the OpenClaw CLI. This creates a durable messaging capability that could be repurposed to exfiltrate information or spam a user/channel, especially when combined with background scheduling.

Missing User Warnings

Low
Confidence
85% confidence
Finding
The protocol explicitly documents silent initialization of local state such as `digest_state.json` during automatic runs. While this is not code execution or data exfiltration, creating or mutating files without clear user notice is a real security/privacy concern because it introduces hidden persistence and can surprise users or operators in restricted environments.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The protocol states that reply-route environment variables are persisted indefinitely to `~/.signalradar/cache/openclaw_reply_route.json` and reused for background delivery, without an explicit privacy or retention warning. Persisting routing identifiers from environment data can leak sensitive metadata, enable messages to be sent to stale or unintended targets, and creates a durable local artifact attackers or other local users may inspect.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The webhook adapter transmits the full delivery envelope, including human-readable alert text and the complete machine payload, to an arbitrary configured URL. In this skill context, market-monitoring data may seem low sensitivity, but request identifiers, configuration-derived content, and future payload fields could still leak externally or be exfiltrated to attacker-controlled endpoints if configuration is compromised or user intent is unclear.

Missing User Warnings

Low
Confidence
77% confidence
Finding
The file adapter appends full delivery envelopes to a caller-specified filesystem path without any guardrails around destination, permissions, or data sensitivity. This can create unintended local data exposure, especially if the path points to shared locations, sensitive files, or logs that are later collected by other processes.

VirusTotal

54/54 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.