Back to skill

Security audit

birthday

Security checks across malware telemetry and agentic risk

Overview

This birthday reminder skill does what it says, but it can store personal birthday data and optionally send reminders through configured email or webhook channels.

Install only if you are comfortable storing birthday records locally. Avoid entering full Chinese ID numbers unless needed, review the generated birthdays.json, keep email and webhook channels disabled unless you trust the destination, and approve any daily OpenClaw automation before letting it run.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill advertises executable scripts that read and write local files, consume environment variables, and may send notifications, yet the skill metadata shown in the document does not declare those capabilities. This creates a permission-transparency gap: callers may invoke the skill expecting simple date conversion while the implementation can access sensitive local data and communicate externally through configured channels.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The stated purpose is birthday management, but the documented behavior also includes outbound notification delivery, webhook/email integration, local mail invocation, and automation-scheduler hint generation. That mismatch increases the chance of silent data egress or unintended persistence/automation because users may approve the skill for benign record-keeping without realizing it can transmit data or trigger recurring jobs.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The script performs capability expansion beyond simple birthday record management by probing for a local sendmail binary and invoking it to send email. Even if intended as a notification feature, this introduces external command execution and outbound messaging behavior that is not clearly disclosed in the skill purpose, which increases attack surface and could be abused to exfiltrate reminder content or operate unexpectedly in a host environment.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The notification configuration resolver expands ${ENV_VAR} placeholders, allowing the skill to read SMTP-related secrets from environment variables. Accessing credentials is a sensitive capability not obvious from the birthday-management description, and in an agent context this can violate least-privilege expectations and enable misuse of host secrets for outbound communication.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script can send birthday reminder content to external destinations via SMTP email and arbitrary webhook URLs, which materially expands the trust boundary from local record management to network exfiltration of personal data. In a birthday-reminder skill that handles names, birthdays, ages, and partially masked ID-derived data, this creates a real privacy and data-transfer risk if the feature is enabled or the config is modified by another component.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The default notification template is designed to resolve SMTP credentials from environment variables and later use them for outbound email delivery. While reading environment variables is common, combining hidden credential loading with unsolicited external notification capability is risky because it enables silent use of privileged secrets to send personal data outside the local system.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill encourages extracting and storing birthdays from Chinese national ID numbers, which are highly sensitive personal identifiers, but it does not warn about the privacy and compliance implications of processing that data. In this context, even if only birthdays are retained, users may input full ID numbers into logs, shell history, datasets, or agent transcripts, increasing exposure of regulated personal information.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The document describes sending birthday reminders through email, enterprise messaging, and webhooks but does not warn that those channels may disclose personal birthday information to third-party systems. Because birthday records are tied to named individuals and may originate from ID-derived data, outbound notifications can create privacy leaks or policy violations if recipients, endpoints, or logs are misconfigured.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script persists birthday records to disk, including sensitive personal data such as names, birthdays, masked ID-card metadata, and creation timestamps, without any user-facing warning, consent flow, or storage protections. In this skill context, handling identity-linked birthday data makes undisclosed local persistence a real privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The default notification template advertises support for credential-backed SMTP configuration via environment variables, which implies secret consumption without prominently warning the user in the interface. In an agent skill, undeclared secret access is security-relevant because users may not expect a birthday utility to interact with mail credentials at all.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script spawns an external process for email delivery without surfacing that behavior in the user-facing interface. External subprocess invocation is a meaningful security boundary crossing: it depends on host binaries, can interact with local MTA configuration, and creates side effects beyond normal data processing.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The script persists personal data such as names, birthdays, and metadata into a local JSON file without any access control hardening, encryption, or warning about retention of sensitive personal information. In the context of a birthday manager that can also derive dates from Chinese ID numbers, local plaintext storage increases the risk of privacy leakage on shared systems or backups.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The code resolves values from environment variables for notification settings, including SMTP credentials, without explicit user-facing disclosure at the point of use. In combination with external notification support, this can cause secret-backed outbound delivery of personal reminders in ways the operator may not realize, especially in agent or CI environments where environment variables are prepopulated.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Webhook delivery sends reminder text containing personal data to an arbitrary external URL configured in the notification file, with optional custom headers. This is dangerous because it enables straightforward transmission of names, birthdays, and age information to third-party services, and the skill context makes that especially sensitive due to handling of personal identity-related data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/birthday_manager.js:304