Back to skill

Security audit

Skill Net

Security checks across malware telemetry and agentic risk

Overview

This is a read-only OpenClaw skill-ecosystem diagnostic tool whose local scanning and report files fit its stated purpose, though users should be aware it reads installed skill instructions and saves derived reports.

Install if you want a local map of your OpenClaw skills. Run it only when you are comfortable with it reading installed SKILL.md files and saving dependency reports, and review or delete the generated data files if your skill instructions contain private information.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill instructs scanning `~/.openclaw/skills/` and `~/.openclaw/workspace/skills/` and reading every `SKILL.md`, which is a real file-read capability, yet no permissions are declared. That creates a transparency and policy-enforcement gap: an agent may access a broad set of local files without explicit user-visible authorization boundaries, increasing the chance of overcollection or unintended disclosure of skill metadata and contents.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The script has unexpected side effects: beyond analyzing skills, it creates directories and writes `ecosystem.json` and `report.md` into the user's home-directory skill workspace. In an agent-skill context, silent persistence can violate least surprise, overwrite prior outputs, leak derived metadata to disk, and enable unintended data retention from scanned skill content.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The README advertises trigger phrases such as "analyze ecosystem", "full scan", "ecosystem health", and especially natural-language requests like "what depends on X" and "if I delete Y what breaks". These are broad, plausible user utterances rather than tightly scoped commands, which increases the chance of accidental or over-eager invocation in unrelated conversations. In context this is a diagnostic skill, so the impact is limited to unintended analysis rather than direct system compromise, but broad triggering still creates unnecessary activation risk and possible privacy/scope issues if repository contents are scanned unexpectedly.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The documented trigger conditions include broad natural-language phrases such as "analyze ecosystem", "full scan", and "ecosystem health", which can plausibly appear in ordinary conversation and may cause unintended activation. In a diagnostic skill that scans all SKILL.md files and generates reports, accidental invocation can expose repository structure, dependency relationships, and metadata the user did not explicitly intend to analyze.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The Mode 1 triggers include broad phrases like `ecosystem health`, `skill health`, `full scan`, and `analyze ecosystem`, which can plausibly appear in ordinary discussion. Because this skill performs wide filesystem scanning and writes reports, accidental invocation could trigger unnecessary local analysis and data collection in contexts where the user only meant a conceptual question.

Vague Triggers

Medium
Confidence
90% confidence
Finding
Query-mode triggers such as `what depends on X`, `if I delete Y`, `who references Z`, and `core skills` are generic and lack namespace constraints tying them to the OpenClaw skill ecosystem. This makes accidental routing likely during normal conversation about software, documents, or other dependency graphs, potentially causing the agent to inspect cached ecosystem data or launch a fresh scan without sufficiently specific user intent.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The script writes generated reports into `~/.openclaw/workspace/skills/skill-net/data` without explicit user-facing disclosure or consent near the write path. In this context, silent writes are risky because they persist analysis of potentially sensitive local skill contents and metadata, creating unexpected artifacts and possible privacy exposure to other local processes or users.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.