Inference Optimizer

Security checks across malware telemetry and agentic risk

Overview

This OpenClaw maintenance skill is not malicious, but it can persistently change agent execution permissions and remove session or memory data, so users should review it carefully before installing.

Install only if you intend this skill to administer an OpenClaw VPS. Review setup.sh output before using --apply, inspect exec-approvals.json changes, keep backups, and avoid purge --delete unless you have verified exactly what will be removed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (9)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 95% confidence
Finding: The skill advertises substantial capabilities including shell execution, file reads/writes, environment access, backup/archive creation, and allowlist modification, but it does not declare permissions explicitly. This creates a transparency and policy-enforcement gap: users or platforms may trust the metadata as low-risk while the documented workflow can change files and execution policy. In a security-sensitive agent environment, undeclared capabilities materially increase the chance of unintended privileged actions.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 98% confidence
Finding: The skill is presented primarily as an audit and optimization helper, but the documented behavior extends into persistent system and workspace modification: editing AGENTS.md/TOOLS.md, changing exec approval policy, creating sensitive backups, and deleting or archiving session data. That mismatch is dangerous because it can cause operators to approve or install the skill under the assumption of analysis-only behavior when it actually performs broader state-changing actions with security consequences.

Description-Behavior Mismatch

High

Confidence: 90% confidence
Finding: This script performs real state-changing cleanup of session and memory data, including archival and optional deletion, even though the skill description frames its primary behavior around audit/optimization workflows. In an agent-skill context, bundling destructive maintenance logic increases the chance that an operator or agent invokes data-loss functionality under a misleading or weakly related capability boundary.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The --delete path irreversibly removes session JSONL files older than 24 hours and deletes small memory files, with no confirmation, dry-run, allowlist, or integrity checks beyond path existence. If triggered accidentally or by an over-privileged agent, this can destroy operational history, forensic evidence, or user context that may still be needed.

Intent-Code Divergence

Medium

Confidence: 81% confidence
Finding: The header comments describe the script as part of an inference-optimizer skill while the implementation is actually a purge/cleanup utility for sessions and memory. That mismatch can lower operator suspicion and makes the skill context more dangerous, because destructive data-handling functionality is hidden behind a performance-oriented label.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The setup script does more than local installation housekeeping: with --apply it rewrites workspace AGENTS.md and TOOLS.md and then modifies a shared execution approvals file. That expands the skill's operational reach from audit/optimization into changing command surfaces and trust policy, which can silently enable later execution paths beyond what a user may expect from the skill description.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The approval allowlist added here is broader than necessary for an inference-audit skill: it pre-approves not only audit/preflight but also purge, setup, and verify scripts for multiple agents. Pre-seeding execution approvals weakens the approval boundary and can let future agent actions invoke file-changing or disruptive scripts with less scrutiny, increasing the blast radius if the skill or surrounding workflow is abused.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The skill defines broad slash-command triggers like "/audit" and "/optimize" without any scoping, confirmation gate, or requirement that they only run in an explicit skill/session context. In an agent environment, this can cause accidental invocation from normal chat text and may lead to unintended shell execution or configuration changes, especially because "/optimize" is described as analyze + action flow.

Session Persistence

Medium

Category: Rogue Agent
Content: --- ## Task 2 — Rewrite workspace files For each file identified in Task 1 with savings > 100 tokens:
Confidence: 93% confidence
Finding: write workspace files For each file identified in Task 1 with savings > 100 tokens: - Rewrite to declarative bullet points only - Target: SOUL.md ≤ 500 chars, AGENTS.md ≤ 1000 chars, TOOLS.md trim u

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal