Back to skill

Security audit

Technical Insight

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly aligned with technical analysis, but it asks for broad runtime authority and contains unsafe filesystem, credential, and subprocess behavior that users should review before installing.

Install only if you are comfortable with the skill cloning repositories, writing analysis artifacts to local workspace paths, invoking helper scripts, and using a Tavily API key. Avoid running it on sensitive/private repository URLs until the repo-clone cleanup is made safe, output paths are user-controlled, and credential loading is limited to the one required Tavily secret.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (24)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"""Clone the repository for analysis"""
        if os.path.exists(self.local_path):
            subprocess.run(['rm', '-rf', self.local_path], check=True)
        subprocess.run(['git', 'clone', '--depth=1', self.repo_url, self.local_path], check=True)
        
    def analyze_structure(self) -> Dict[str, Any]:
        """Analyze repository structure and extract components"""
Confidence
95% confidence
Finding
subprocess.run(['git', 'clone', '--depth=1', self.repo_url, self.local_path], check=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def clone_repository(self):
        """Clone the repository for analysis"""
        if os.path.exists(self.local_path):
            subprocess.run(['rm', '-rf', self.local_path], check=True)
        subprocess.run(['git', 'clone', '--depth=1', self.repo_url, self.local_path], check=True)
        
    def analyze_structure(self) -> Dict[str, Any]:
Confidence
98% confidence
Finding
subprocess.run(['rm', '-rf', self.local_path], check=True)

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The skill is presented as an analysis/reporting tool, but it also performs automatic persistent writes, directory creation, and artifact generation on disk. That mismatch can cause unintended side effects, surprise file creation, and data persistence beyond what a user would reasonably expect from a reporting skill.

Context-Inappropriate Capability

Medium
Confidence
81% confidence
Finding
The workflow mandates invocation of another skill to generate a presentation, expanding the trust boundary and introducing hidden secondary behavior not essential to the core teardown task. This creates unnecessary capability chaining, which can amplify risks if the downstream skill performs additional writes, network access, or prompt-influenced actions.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The skill is presented as analytical/reporting functionality, but it automatically writes multiple artifacts locally and invokes additional generation tools. Hidden side effects are a security concern because they can overwrite files, consume resources, or create outputs in fixed locations without informed user consent.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The version history claims hardcoded home-directory paths were removed, but the documented workflow still uses a fixed absolute user-specific path such as /home/Vincent/.openclaw/workspace. Hardcoded absolute paths are dangerous because they can write to unintended locations, break tenant isolation assumptions, and create confusing or unsafe behavior across different environments.

Context-Inappropriate Capability

High
Confidence
82% confidence
Finding
The workflow launches an external Python script as a subprocess, which expands the attack surface beyond in-process analysis. In a skill whose purpose is architecture analysis/report generation, delegating to another executable component means a compromised or swapped helper script can execute arbitrary code with the same privileges, especially if the working directory or packaged files are not strongly controlled.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The skill performs external command execution to delete and clone repositories, which materially increases its capabilities beyond passive analysis. In this context, command execution plus filesystem mutation means a malformed or abusive input can trigger side effects on the host rather than remaining a read-only analytical operation.

Description-Behavior Mismatch

Medium
Confidence
80% confidence
Finding
The module acquires remote repositories and mutates the local filesystem, which exceeds a narrow interpretation of analysis-only behavior and increases operational risk. While this may be functionally related to analysis, it still introduces side effects and a larger attack surface than the manifest suggests, making misuse or unexpected behavior more dangerous.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The file does not implement the security-relevant behavior implied by the skill manifest. Instead of performing deep technical decomposition, barrier analysis, risk assessment, or evolution prediction, it emits mostly fixed draw.io templates with only minimal input-driven customization, creating a strong capability mismatch that can mislead downstream users or automated workflows into trusting shallow output as rigorous analysis.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The docstrings market the tool as a 'professional' layered architecture generator, but the implementation is largely static and uses little of the supplied analysis data. This kind of overstated capability is dangerous in an analysis skill because it can cause operators to overtrust generated artifacts and miss gaps, unsupported assumptions, or absent risk reasoning.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The script reads and sources a shared global ~/.openclaw/.env file even though the skill is presented as an analysis-oriented capability with a Tavily-specific need. Sourcing a whole global env file exposes all variables in that file to the skill process and executes any shell syntax present in the file, creating unnecessary credential exposure and trust-boundary expansion.

Intent-Code Divergence

Low
Confidence
88% confidence
Finding
The comments describe a Tavily-specific configuration, but the implementation sources the entire global ~/.openclaw/.env file. This mismatch can mislead reviewers into underestimating the exposure, since unrelated secrets from the shared env file may also be loaded into the skill context.

Missing User Warnings

Low
Confidence
86% confidence
Finding
The plan explicitly directs the skill to create multiple files under a workspace path, but it does not mention any user notification, confirmation, or consent before making filesystem changes. In an agent setting, silent writes can surprise users, overwrite prior analysis artifacts, or leave sensitive derived data on disk even if the content is not inherently malicious.

Missing User Warnings

Low
Confidence
91% confidence
Finding
The skill design calls for external API usage and retrieval of documents, source code, community content, and issue tracker data, but it provides no network/privacy disclosure. This can lead to unintended transmission of user-provided targets, queries, or internal technology choices to third-party services, which is more sensitive because the skill is designed for deep technical analysis and may process proprietary topics.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The activation condition is vague, so the skill may trigger on loosely related requests and execute a broad workflow with file creation and auxiliary actions without clear user intent. Ambiguous triggering increases the chance of overreach, especially when the skill includes nontrivial side effects and externalized outputs.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill auto-saves reports, JSON data, and diagrams to a fixed workspace path without warning the user that files will be created and retained. Undisclosed persistence can expose sensitive inputs, create unwanted local artifacts, and violate user expectations around ephemeral analysis.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The automatic flow performs mkdir, writes multiple files, generates diagrams, and validates outputs without any confirmation gate. In a skill context, that means operational side effects can happen automatically, potentially persisting sensitive analysis content or cluttering the environment with derived artifacts.

Vague Triggers

Medium
Confidence
82% confidence
Finding
An ambiguous, overly broad trigger can cause the skill to activate in situations where the user did not intend a high-side-effect workflow. In this skill's context, broad triggering is more dangerous because activation may lead to network access, shell execution, repository analysis, and local file writes.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill automatically writes reports, data files, and diagrams to a fixed workspace path without clearly warning the user in the main description. Undisclosed writes are dangerous because they can leak sensitive analysis results to predictable locations, overwrite prior data, or violate user expectations about a read-only analysis task.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill collects external data from multiple sources but does not clearly disclose that network access will occur or what data may be sent or retrieved. This is risky because user prompts, repository identifiers, or analysis targets may be exposed to third-party services without explicit consent.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The code fetches remote repository contents locally without any visible consent, disclosure, or warning near the operation. This is dangerous in an agent skill because users may not realize that supplying a URL triggers external network access and local storage of potentially sensitive or malicious content.

Missing User Warnings

High
Confidence
97% confidence
Finding
The module recursively deletes an existing path without any explicit warning or confirmation, creating a clear risk of destructive unintended side effects. In this skill context, that is especially problematic because the operation is not merely analytical—it can erase local data if the path resolves unexpectedly or collides with another process's files.

Credential Access

High
Category
Privilege Escalation
Content
fi

# Source the global configuration
source "$HOME/.openclaw/.env"

# Verify TAVILY_API_KEY is set
if [ -z "$TAVILY_API_KEY" ]; then
Confidence
99% confidence
Finding
.env"

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.