Openclaw Boss

Security checks across malware telemetry and agentic risk

Overview

This is a local user-profile report skill, but it deserves review because it reads private OpenClaw history and advertises recurring privileged reports that store and print full personal profiles.

Install only if you are comfortable with this skill reading OpenClaw memories, profile files, session history, prior reports, and related memory tooling to build a personal assessment. Before using scheduled reports, verify whether any .onload or cron entry is created, prefer user-level scheduling, and review generated reports before sharing because they may contain sensitive personal details and inferred traits.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import

Findings (31)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: def run_command(cmd: str, timeout: int = 60) -> str: """执行 shell 命令并返回输出""" try: result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=timeout) return result.stdout except Exception as e: return f"[Error: {e}]"
Confidence: 97% confidence
Finding: result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=timeout)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 94% confidence
Finding: The skill documents shell execution plus filesystem read/write behavior, but does not declare permissions or clearly constrain those capabilities. That creates a privilege-transparency gap: users and the host may invoke what appears to be a simple profiling skill while it can access and persist data on disk.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 97% confidence
Finding: The stated purpose is a conversational self-reflection report, but the documented behavior expands into reading workspace files, querying another memory system, writing persistent reports/logs, scheduling jobs, and fabricating metrics. This mismatch undermines informed consent and can expose or process data far beyond what a user would reasonably expect from the description.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The README presents the skill as a conversational self-reflection/report generator, but the documented installation behavior creates persistent system cron jobs, configures logs, and may start the Cron service. That is a privilege and persistence expansion beyond the user-facing purpose, increasing attack surface and creating a mismatch that can surprise users or operators.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The documentation instructs users to inspect and modify /etc/cron.d and remove files with sudo, which involves privileged system-wide configuration unrelated to the core self-analysis function. Even though this is documentation rather than executable code, normalizing privileged edits broadens the operational footprint and can lead to unsafe deployment practices.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The report structure goes beyond conversation history into project health, URLs, article counts, security posture, and other environment-derived attributes. That is data overcollection relative to the skill's stated purpose and may surface sensitive operational or personal information not needed for a self-analysis report.

Context-Inappropriate Capability

Low

Confidence: 85% confidence
Finding: The workflow explicitly instructs the agent to read generated files from the filesystem and use that content in the chat, even though the skill is presented as a conversational analysis tool. This expands access from transient analysis to persistent file handling and increases the chance of disclosing stored sensitive data.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The package metadata declares an on-demand self-reflection/report skill, but also enables automatic scheduled reporting via onload configuration. This creates a behavior mismatch: users may expect analysis only when explicitly requested, while the skill is positioned to set up recurring reports automatically, which can process conversation history without clear contemporaneous consent.

Context-Inappropriate Capability

Medium

Confidence: 87% confidence
Finding: Installation-time scheduling is not clearly necessary for a conversational self-analysis skill and expands the skill's operational scope beyond user-triggered interactions. In context, this could result in periodic analysis of user conversation history or profile data without a clear user action, increasing privacy and surprise risks.

Intent-Code Divergence

High

Confidence: 95% confidence
Finding: The report presents itself as a truthful, strict evaluation, but multiple scores, comments, titles, and percentile values are randomized elsewhere in the code. That creates deceptive output that can mislead users into trusting fabricated assessments as evidence-based analysis.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The skill is described as a self-reflection/profile tool, but it also persistently writes reports to disk, creating retained artifacts of potentially sensitive user profiling data. This expands data handling beyond the apparent user expectation and increases privacy and retention risk.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: Instead of limiting itself to current conversation history, the script reads MEMORY.md, USER.md, recent memory files, and prior reports, enabling broader profiling than the skill description suggests. This increases the amount of personal or historical data included in the analysis and can surprise users who expect a narrower scope.

Context-Inappropriate Capability

High

Confidence: 96% confidence
Finding: Executing shell commands to collect sessions is an unnecessary and over-privileged mechanism for a profile-report skill. Combined with shell=True, it creates both an execution surface and a privacy boundary bypass where the skill can invoke local tools rather than operate on passed-in data.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The skill reaches into another skill's scripts/database via a shell command, broadening access and capability beyond the stated purpose of simple user reflection. This cross-tool invocation can expose unrelated memory data and compounds the command-injection risk because the query is inserted into a shell string.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The trigger phrases are very broad and overlap with common conversation such as asking for analysis or evaluation, which can cause unintended activation of the skill. In this skill's context, accidental invocation could generate reports, analyze conversation history, or produce stored outputs without a deliberate user request for this specific tool.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The README describes automatic scheduled report generation, log creation, and cron installation without a clear warning that user data and conversation history may be analyzed on an ongoing basis and written to disk. This creates a transparency and privacy risk because users may not understand that analysis persists beyond an immediate chat interaction.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger phrases are broad and overlap with common user requests like 'analyze me' or '评价一下我', which can cause the skill to activate when the user did not intend a deep profiling workflow. In this context, overbroad activation is risky because the skill can access memory-like data and generate persistent reports.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The skill describes weekly and monthly scheduled execution without clear consent, enrollment, revocation, or data-scope boundaries. Background profiling on a schedule can repeatedly process and persist user data without contemporaneous user awareness.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The description does not warn users that the skill may read conversation history, generated report files, and other stored memory/project artifacts. That omission weakens informed consent and makes the later disclosure-oriented workflow more dangerous.

Vague Triggers

Medium

Confidence: 80% confidence
Finding: The onload description says it will automatically configure weekly and monthly report tasks, but it is ambiguous about exactly when and under what conditions this occurs. Ambiguity around install-time automation is dangerous because it can hide side effects from users and reviewers, making unexpected persistence or data processing easier to introduce.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: This section explicitly directs the system to collect basic profile data such as name, location/timezone, contact details, service start time, and platform from USER.md and conversation history, but provides no disclosure, consent boundary, minimization rule, or purpose limitation. In the context of a user-analysis skill that generates performance-style reports, this creates a real privacy profiling risk because the agent may aggregate personally identifiable information and present or retain it beyond the user's reasonable expectations.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: This section instructs the agent to infer personality traits, behavior tendencies, preferences, and communication style from conversation history, effectively performing behavioral profiling without transparency or opt-in. That is dangerous because inferred traits can be inaccurate, sensitive, or manipulative, and the skill's 'boss/report card' framing increases the likelihood of overconfident judgments being presented as authoritative assessments of the user.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The script silently runs commands to retrieve sessions and database-backed memories without a clear user-facing privacy notice. Even if technically intended, collecting and processing this data without transparent disclosure undermines informed consent and increases privacy risk.

Missing User Warnings

High

Confidence: 96% confidence
Finding: The script reads local profile and memory files, then later emits a full synthesized report to stdout, which may expose sensitive details to calling systems, logs, or unintended viewers. Because the report aggregates multiple personal data sources, the privacy impact is larger than any single file read.

Ssd 3

High

Confidence: 98% confidence
Finding: The skill explicitly directs the agent to read a generated report file and output its full contents verbatim in chat. Because the report is derived from conversation history and potentially other stored data, this instruction is a direct disclosure pattern that can reveal sensitive user information far beyond what is necessary.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal