Speckit Workflow for Openclaw

Security checks across malware telemetry and agentic risk

Overview

This is a coherent development workflow, but it deserves review because it can publish repository changes and its bundled shell helpers use unsafe dynamic evaluation of branch/path data.

Install only in repositories you control. Answer No to automated Git operations unless you want the agent to create branches, commit, and push; review diffs before publishing. Avoid using this workflow on untrusted repositories or crafted branch names until the eval-based shell helpers are fixed, and inspect any generated agent-context files before keeping them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (10)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The skill’s declared role is a workflow orchestrator, but the embedded behavior includes high-impact repository operations such as automated commit/push/branch creation and broad file modification across agent/tooling context files. This mismatch is dangerous because users or calling systems may grant it trust appropriate for orchestration while it performs materially more sensitive actions, increasing the chance of unintended code publication, branch manipulation, or widespread instruction-file tampering.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The skill expands beyond implementation of an approved plan by directing the agent to create or modify repository-wide ignore and configuration files based on heuristics. This can introduce unauthorized changes to project metadata, alter packaging/build behavior, and modify what files are excluded from version control or tooling without explicit approval from the user or plan.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The README explicitly says the agent will commit and push changes automatically after task completion, but it does not present a clear warning or require explicit user confirmation before modifying and publishing repository state. In an autonomous agent context, this is dangerous because it can cause unintended code publication, leak sensitive changes, or push incomplete or unsafe work to remote repositories.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill instructs the agent to create directories and write or append checklist files in the repository without an explicit user-facing warning or confirmation step. In an agentic environment, silent filesystem mutation can surprise users, alter tracked project state, and be abused to persist unwanted content in a repo, especially when combined with broad or ambiguous user prompts.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill explicitly instructs the agent to overwrite `.specify/memory/constitution.md` without any confirmation, backup, diff preview, or safety check. In a repo-modifying automation context, this can cause unintended destructive changes or loss of manually curated governance content, especially if placeholder inference or propagation logic is wrong.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs the agent to create or edit ignore files in the repository without warning the user that repository files will be changed. Silent modification of files like .gitignore, .dockerignore, or eslint/prettier ignore settings can hide artifacts, affect scanning, and alter project behavior in ways the user did not authorize.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: Automatically marking tasks as complete in tasks.md edits user planning artifacts without disclosure or confirmation. This can corrupt project tracking, misrepresent implementation state, and create auditability issues if tasks are checked off despite incomplete or failed work.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill instructs the agent to execute a repository-local shell script from the repo root and trust its JSON output, but provides no requirement for user confirmation, no validation of the script, and no warning that running it may modify the working tree. In an adversarial or merely unreviewed repository, this creates a path for executing arbitrary local code and causing unintended file changes during planning.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly directs updating an agent-specific context file via a repository script, again without user consent or a warning that local configuration/context will be modified. Because these context files influence future agent behavior, this is more dangerous than a normal documentation update: a malicious repo could persist prompt/config changes that affect subsequent sessions or tasks.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill directs the agent to create branches and write files, including running a repository script, without an explicit user-facing warning in the skill description that it will modify the working tree and git state. In an agent setting, this can lead to unexpected repository mutations, accidental branch creation, and execution of project-local scripts that may have side effects beyond simple spec generation.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal