Back to skill

Security audit

Permission Enforcer

Security checks across malware telemetry and agentic risk

Overview

This appears to be a permission-control skill, but its own documented enforcement paths can fail open and still allow high-impact commands after errors or missing components.

Review this carefully before installing. It may be useful as a permission wrapper, but its fail-open behavior means missing rules, broken checker output, or missing checker files can still lead to command execution. Use only in a sandbox or after changing the policy model to deny by default and tightly limiting privileged commands such as sudo.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (7)

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
The code is named and documented as a permission enforcer, but when no rule matches it returns `allow` with reason `No matching policy rule; default allow`. In a security control, fail-open behavior allows unanticipated actions—including file writes, shell commands, or MCP operations—to proceed whenever policy coverage is incomplete, which is especially risky in an agent skill expected to constrain tool use.

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
The code is named and documented as a permission enforcer, but when no rule matches it returns `allow` with reason `No matching policy rule; default allow`. In a security control, fail-open behavior allows unanticipated actions—including file writes, shell commands, or MCP operations—to proceed whenever policy coverage is incomplete, which is especially risky in an agent skill expected to constrain tool use.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The wrapper is presented as a permission-enforcing control, but if the policy checker file is missing it offers to continue and eventually executes the command without any policy decision. That creates a fail-open path where the security mechanism can be bypassed by misconfiguration, deletion, or tampering with the checker component.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
When the policy result is unknown, empty, or erroneous, the wrapper falls back to interactive approval and can still execute the command. This weakens the advertised policy enforcement model because parser failures, checker crashes, or malformed responses become an authorization bypass rather than a denial.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The module presents itself as a unified permission checker, but the implementation returns `{ allowed: true }` whenever no rule matches. In a security enforcement component, default-allow behavior creates a fail-open condition: new actions, malformed inputs, missing rules, or policy load issues can silently bypass intended restrictions.

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
| `file_write` | `openclaw_core` | prompt | 修改核心文件需确认 |
| `bash` | `rm -rf /` 等 | deny | 禁止危险删除命令 |
| `bash` | `curl`, `wget` | prompt | 网络下载需确认 |
| `bash` | `sudo` | prompt | sudo 需确认 |
| `mcp` | `write_file` | prompt | MCP 文件写入需确认 |

## 使用
Confidence
84% confidence
Finding
sudo

Chaining Abuse

High
Category
Tool Misuse
Content
| `file_write` | `openclaw_core` | prompt | 修改核心文件需确认 |
| `bash` | `rm -rf /` 等 | deny | 禁止危险删除命令 |
| `bash` | `curl`, `wget` | prompt | 网络下载需确认 |
| `bash` | `sudo` | prompt | sudo 需确认 |
| `mcp` | `write_file` | prompt | MCP 文件写入需确认 |

## 使用
Confidence
80% confidence
Finding
| sudo

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.