Research Mode

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed long-running research workflow tool with real operational risk from scheduled workers, local artifacts, and optional package installs, but the behavior is purpose-aligned and user/operator controlled.

Install only if you want an OpenClaw agent to run durable background research with local task folders and scheduled cron workers. Keep research roots away from unrelated private files, attach only material you intend the task to use, avoid untrusted pip packages or interpreter paths, and use pause/stop/unschedule controls when the task should no longer run.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (6)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: install_cmd.extend(packages_requested) else: install_cmd = [str(python_bin), "-m", "pip", "install", *packages_requested] subprocess.run( # nosec B603 install_cmd, check=True, capture_output=True, text=True, env=env ) packages_installed_now = packages_requested
Confidence: 95% confidence
Finding: subprocess.run( # nosec B603 install_cmd, check=True, capture_output=True, text=True, env=env )

subprocess module call

Medium

Category: Dangerous Code Execution
Content: cmd = [uv_path, "venv", str(task.venv_dir)] if getattr(args, "python", None): cmd.extend(["--python", args.python]) subprocess.run( # nosec B603 cmd, check=True, capture_output=True, text=True, env=env ) else:
Confidence: 84% confidence
Finding: subprocess.run( # nosec B603 cmd, check=True, capture_output=True, text=True, env=env )

subprocess module call

Medium

Category: Dangerous Code Execution
Content: ) else: base_python = getattr(args, "python", None) or sys.executable subprocess.run( # nosec B603 [base_python, "-m", "venv", str(task.venv_dir)], check=True, capture_output=True,
Confidence: 91% confidence
Finding: subprocess.run( # nosec B603 [base_python, "-m", "venv", str(task.venv_dir)], check=True, capture_output=True, text=True,

Intent-Code Divergence

Medium

Confidence: 90% confidence
Finding: The Methodology text claims the package excludes local environment identifiers, but the generated summary writes absolute or environment-specific filesystem paths such as package_dir, workbook, and validation_report into package-generation-summary.json. In a research skill context that may publish or persist artifacts, these paths can disclose internal workspace layout or tenant-specific directory structure, creating unnecessary information leakage and undermining the documented safety guarantees.

Context-Inappropriate Capability

Medium

Confidence: 87% confidence
Finding: The skill exposes a runtime-preparation feature that can create an isolated Python environment and install arbitrary packages supplied via CLI arguments. In an agent setting, this expands the skill from orchestration into code-execution enablement and increases supply-chain and capability-escalation risk, especially if untrusted prompts can influence package names or trigger this command.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The summary text intentionally includes numerous absolute or internal paths such as task, workspace, corpus, runtime, SQLite, and recovery artifact locations. If this surface is shown to end users or less-privileged operators, it leaks filesystem layout and internal operational details that can aid follow-on attacks, expose sensitive filenames, and reveal where reports, inputs, or temporary artifacts are stored.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal