Multi Find Skills

Security checks across malware telemetry and agentic risk

Overview

This skill has a coherent purpose, but it includes risky install guidance and proactive behavior that users should review before trusting it.

Install only if you are comfortable with a skill that proactively searches external skill marketplaces and keeps a local preference file. Before allowing any install, review the candidate skill and avoid `--force`, `-y`, and global `-g` commands unless you intentionally accept those effects. Set the memory mode to passive or remove the memory file if you do not want proactive searches or retained recommendation history.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (9)

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The skill explicitly promises not to use automatic confirmation flags, yet elsewhere documents an installation command with `npx -y @lobehub/market-cli ...`. That contradiction weakens the safety contract and can normalize non-interactive execution of package-manager commands, increasing the chance of unintended installs or reduced user awareness during risky operations.

Intent-Code Divergence

Medium

Confidence: 91% confidence
Finding: The skill claims it will not access files outside its own directory, but its workflow reads and verifies paths such as `~/.openclaw/skills/<skill>/SKILL.md` and its own memory under `~/.openclaw/...`, which exceeds the declared boundary. This is primarily a trust-boundary and transparency issue: inaccurate claims about file access can mislead users about what local data the skill may inspect.

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: The file first states that suspicious skills must never be force-installed, then later recommends `clawhub install <skill-name> --force` as a generic troubleshooting step. That contradiction can normalize bypassing safety checks and lead users to install packages that prior guidance would have blocked, especially in a skill-discovery/install workflow where untrusted third-party content is expected.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The implicit triggers include very broad help-seeking phrases such as asking how to do something or whether there is a better way, which can cause the skill to activate when the user did not intend a marketplace search or preference-processing workflow. In context, this matters because activation leads to external queries and memory-file reads, so over-triggering can leak unnecessary search terms and create confusing or privacy-impacting behavior.

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The skill explicitly states that initialization will automatically create a file under the user's home directory on first activation, but it does not surface a clear user-facing notice or consent step before modifying persistent state. In an agent skill context, silent writes to ~/.openclaw can surprise users, create unwanted persistence, and normalize background filesystem changes.

Missing User Warnings

High

Confidence: 91% confidence
Finding: The documented error handling says a corrupted memory.md will be deleted and rebuilt, which is destructive behavior against user data without a clear warning, backup, or recovery flow. Even if the file is small, automatic deletion can erase user preferences or history and could be triggered by malformed content or parsing errors.

Vague Triggers

High

Confidence: 95% confidence
Finding: The implicit activation rules are overly broad and overlap with ordinary user questions such as 'how do I do X?' or 'what should I install?'. In a skill whose purpose is to search for and recommend installable third-party skills, this can trigger unsolicited discovery flows and increase the chance of steering users toward installation actions they did not explicitly request.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The documentation includes installation commands using global install and auto-confirm flags (`-g -y`) without adjacent warnings about trust, review, or system-wide side effects. In this context, users may be encouraged to install unreviewed third-party skills non-interactively, reducing friction for unsafe changes and making accidental or malicious package installation more likely.

Ssd 4

Medium

Confidence: 96% confidence
Finding: Across this section, the document mixes strong safety language about never force-installing suspicious skills with later operational advice that tells the operator to use `--force` during installation troubleshooting. In context, this is especially dangerous because the skill's purpose is to search for and install third-party skills across ecosystems, so normalizing overrides increases the chance of bypassing protections on untrusted content.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal