Back to skill

Security audit

Git Repo Analyzer

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly transparent about analyzing URLs, but it can automatically install or replace local OpenClaw skills from cloned repositories after only a narrow review.

Install only if you are comfortable with a URL-processing skill that can clone arbitrary repositories and install third-party skills into your local OpenClaw environment. Review each proposed skill manually before installation, avoid untrusted or private repository URLs, and back up existing installed skills because same-name installs can be replaced.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (18)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def clone_repo(url: str, staging_dir: str):
    subprocess.run(
        ["git", "clone", "--depth", "1", url, staging_dir],
        check=True, capture_output=True, text=True,
    )
Confidence
86% confidence
Finding
subprocess.run( ["git", "clone", "--depth", "1", url, staging_dir], check=True, capture_output=True, text=True, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def clone_repo(url: str, dest: str):
    subprocess.run(
        ["git", "clone", "--depth", "1", url, dest],
        check=True, capture_output=True, text=True,
    )
Confidence
94% confidence
Finding
subprocess.run( ["git", "clone", "--depth", "1", url, dest], check=True, capture_output=True, text=True, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def run_cloc(root: pathlib.Path):
    try:
        result = subprocess.run(
            ["cloc", "--json", "."],
            cwd=str(root),
            capture_output=True,
Confidence
85% confidence
Finding
result = subprocess.run( ["cloc", "--json", "."], cwd=str(root), capture_output=True, text=True, timeout=60, )

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill declares no explicit permissions while its documented behavior includes environment-variable access, network access, shell execution, and reads/writes under the user's home directory. This weakens user consent and review because the actual capability surface is larger than the metadata suggests, especially for a skill that clones repositories and installs artifacts locally.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented behavior goes beyond passive analysis: it clones repositories, may retain staging data, installs reviewed skills into the local skills directory, and for Zhihu may fetch and save article content locally. This mismatch can mislead users into approving a seemingly low-risk analyzer that actually performs state-changing local and network actions.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The tool claims to perform a security review of a cloned skill repository but actually inspects only `SKILL.md`, ignoring the repository's executable code, scripts, and configs. This can create false assurance and allow malicious code to be labeled safe or cautionary despite never being analyzed, which is dangerous in a security-gating context.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The report unconditionally marks dependencies as checked and passed even though no dependency analysis occurs. This is misleading security output that can cause reviewers or downstream automation to trust packages with vulnerable or malicious dependencies.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The skill is presented as a Git repository/link analyzer, but this file performs local installation of a staged skill into ~/.openclaw/skills/installed and deletes any existing directory at that path. That hidden persistence/deployment behavior is materially different from the declared analysis-only purpose and is especially risky because it can place attacker-controlled content into the trusted local skills directory.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The code copies arbitrary staged content into the user's local OpenClaw skills installation directory, creating a deployment pathway not justified by the skill's stated repository/link analysis role. In context, this increases the chance that analyzing an untrusted repository could silently become installing a new executable skill, enabling persistence and future code execution through the agent framework.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
For Zhihu URLs, the skill fetches full article content and stores it locally instead of merely queueing a link, which exceeds the behavior described for ordinary webpages/articles. This creates an unexpected data collection and persistence path that can store untrusted remote content in the user's memory workspace without clear consent or disclosure.

Context-Inappropriate Capability

Medium
Confidence
81% confidence
Finding
The skill executes another skill's script from the user's workspace, introducing a transitive trust boundary and supply-chain risk not evident from the stated purpose of simple link analysis/queueing. If that external script is modified, replaced, or behaves unexpectedly, this skill becomes a launcher for unreviewed code on user input.

Vague Triggers

High
Confidence
93% confidence
Finding
The trigger condition is extremely broad, matching almost any request involving a URL, analysis, saving, or processing. Overbroad triggers increase the chance the skill runs unexpectedly on benign user requests and then performs network access, local file writes, repository cloning, or installation without sufficiently specific intent.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill description does not clearly warn that a reviewed skill may be installed automatically into ~/.openclaw/skills/installed/. Automatic installation is a sensitive action because even if preceded by analysis, it changes the local execution environment and can persist potentially unsafe or unwanted code.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill writes URLs and possibly fetched content to local queue/memory files, but the description does not clearly foreground these persistent local writes. Hidden persistence can surprise users, leak browsing/research intent into durable storage, and create unwanted downstream processing by other automation.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The installer unconditionally removes an existing installation directory and then deletes the staging directory, with no warning, confirmation, or recovery path. This can destroy an existing skill installation or staged data, and because repo_name is used directly in the destination path, any misuse or manipulation of that value could cause unintended overwrites within the skills tree.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The function writes fetched webpage content into the user's memory directory with no user-facing warning in this file, creating undisclosed local persistence of remote content. This can expose users to privacy, compliance, and content-safety issues, especially because the stored data originates from external URLs and may contain sensitive or unwanted material.

Unvalidated Output Injection

High
Category
Output Handling
Content
def clone_repo(url: str, staging_dir: str):
    subprocess.run(
        ["git", "clone", "--depth", "1", url, staging_dir],
        check=True, capture_output=True, text=True,
    )
Confidence
84% confidence
Finding
subprocess.run( ["git", "clone", "--depth", "1", url, staging_dir], check=True, capture_output

Unvalidated Output Injection

High
Category
Output Handling
Content
def clone_repo(url: str, dest: str):
    subprocess.run(
        ["git", "clone", "--depth", "1", url, dest],
        check=True, capture_output=True, text=True,
    )
Confidence
96% confidence
Finding
subprocess.run( ["git", "clone", "--depth", "1", url, dest], check=True, capture_output

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.