Back to skill

Security audit

capability-match

Security checks across malware telemetry and agentic risk

Overview

This skill locally reads installed skill descriptions to recommend matching skills, with no evidence of hidden execution, network transfer, persistence, or mutation.

Install only if you are comfortable with it reading your local OpenClaw skills directory to build recommendations. Treat its suggestions as guidance and confirm before using any recommended skill, especially for sensitive or high-impact tasks.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger phrase 'recommend a skill for [task]' is broad enough to match ordinary conversation, which can cause the router skill to activate unexpectedly. Because this skill scans installed skills and influences routing decisions, overbroad activation increases the chance of unintended invocation, prompt hijacking of normal requests, or disclosure of local skill inventory.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The package description advertises a general-purpose AI-powered router that 'analyzes your request and recommends the best installed skill' without defining any trigger constraints, scope boundaries, or safety gating. In a skill-routing context, overly broad activation language can cause the agent to invoke or recommend this skill for ambiguous prompts, increasing the chance of unsafe delegation, privilege overreach, or prompt-based misuse across installed skills.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.