Back to skill

Security audit

Growth Engineer

Security checks across malware telemetry and agentic risk

Overview

This skill is a legitimate growth-automation tool, but it has enough host-changing, persistent, and write-capable behavior that users should review it carefully before installing.

Install only in a workspace or VPS where recurring automation and host changes are acceptable. Before first run, review and consider disabling GitHub auto-creation, OpenClaw/Hermes cron, self-update behavior, command-mode connectors, and shell-profile edits; use least-privilege tokens and avoid running it against untrusted project configs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (189)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill clearly instructs the agent to read environment variables and secrets files, modify files in the workspace and home directory, and write shell profile changes, but those capabilities are not declared in a permissions model. This creates a transparency and least-privilege problem: a user may expect a planning/analysis skill while it can read secrets and persist host-side changes.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The declared description frames the skill as an analytics/growth assistant, but the instructions authorize software installation, self-update, shell profile modification, scheduler/bootstrap creation, and runtime artifact generation. That mismatch is dangerous because operators may grant trust based on an innocuous description while the skill performs privileged host modification and persistence actions.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The bootstrap script does more than local file copying: it conditionally performs a forced self-update via `clawhub ... update ... --force` or `npx -y clawhub ...`, and may also invoke another installer script to update `analyticscli`. This expands the trust boundary to remote package/update infrastructure and permits code changes during bootstrap, which is risky for a script that appears to prepare a workspace and may be run automatically or without close review.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The comment states the script is 'Idempotent' and safe to re-run, but the implementation can trigger forced package updates and external tool installation, which are side effects beyond simple idempotent file synchronization. This mismatch can mislead operators into re-running a script they believe is harmless, increasing the chance of unreviewed code changes entering the environment.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The installer appends PATH modifications to multiple shell profile files, creating persistent changes to the user's environment. While this is a common convenience pattern for CLI installers, it exceeds the minimal scope needed for a growth-analysis skill and introduces account-persistence behavior that could be abused if the installed package name or prefix were changed to point at a malicious binary.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The script launches fresh shells and sources user profile files to verify installation, which executes arbitrary code already present in those profiles under a sanitized PATH. That behavior is broader than necessary for package installation and can trigger unintended commands or side effects from hostile or unsafe profile contents.

Description-Behavior Mismatch

Medium
Confidence
85% confidence
Finding
This file implements a standalone HTTP API that accepts inbound feedback, stores raw submissions in an NDJSON log, and serves aggregate summaries over the network. That behavior goes beyond passive local drafting/correlation and creates a persistent data collection surface, which is risky because feedback may contain user identifiers, comments, and metadata that can expose sensitive product or user information if the service is reachable or misconfigured.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The --allow-unauthenticated flag explicitly permits running the feedback API with no authentication, while the server also enables permissive CORS headers. Even though the default host is loopback, this creates an unnecessary insecure mode for a service that accepts and stores arbitrary input, and it becomes more dangerous if the operator binds to a broader interface or proxies the service.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This preflight script is not validation-only: it performs `npm install -g`, falls back to a user-local global install, prepends PATH, and edits multiple shell startup files. In a skill context, a user may run preflight expecting a harmless check, but this code changes the host persistently and can pull and execute remote package code, which materially increases supply-chain and workstation risk.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script executes configured shell commands from the project config during smoke tests via `runShell`, which invokes a real shell with `-c`. Because source commands are configuration-controlled and can include arbitrary shell metacharacters or chained commands, running preflight can trigger arbitrary code execution on the host under the user's environment and secrets.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The fresh-shell verification path sources `~/.bashrc`, `~/.profile`, `~/.zshrc`, and related files inside shell probes. Those files can contain arbitrary user or third-party startup code, so a simple verification step ends up executing unrelated local code with the current environment, making the preflight behavior non-deterministic and potentially unsafe.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The runner can autonomously update its installed skill via `npx ... clawhub ... update`, execute a bootstrap shell script, and then restart itself. That is self-modifying behavior outside the stated core task of drafting proposals, and it creates a software supply-chain execution path where updated code and bootstrap logic can change the workspace without an explicit approval gate at runtime.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The runner executes configured shell commands for sources and notification channels using a real shell (`shell -c`) while inheriting the full process environment. If configuration is attacker-controlled or influenced, this becomes arbitrary command execution with access to workspace files, tokens, and any ambient privileges available to the agent host.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The script performs package installation, PATH/profile modification, and shell-environment persistence even though the skill is described as generating growth proposals. That mismatch is dangerous because running the skill changes host state, installs code from external sources, and expands execution surface far beyond what a user would reasonably expect from an analysis/proposal tool.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The script creates or repairs scheduler jobs and rewrites HEARTBEAT.md, introducing persistence and automated re-execution on the host. For a skill framed as drafting proposals, this is excessive authority and can cause ongoing unattended execution of later commands without the user's informed approval.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The script installs system binaries, agent skills, and helper tooling via npm, apt, brew, winget, npx, and shell installers. This creates a broad supply-chain and privilege-risk surface, especially because the installed components are fetched at runtime and may execute with the user's permissions.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The script writes third-party MCP credentials into ~/.codex/config.toml, persisting secrets on disk in a shared client configuration area. Persisting API credentials this way increases the chance of accidental disclosure, reuse by unrelated tools, or later exfiltration from the host.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The wizard performs an automatic self-update by invoking `npx ... clawhub ... update`, refreshes workspace runtime files, and then restarts itself. That materially exceeds a normal setup assistant's expected role and creates a supply-chain execution path where remote package content can modify local code before the user finishes configuration.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This code automatically downloads and installs the GitHub CLI into the user's home directory and edits shell profile files to alter PATH. A growth-analysis wizard should not silently mutate the host toolchain and login environment, because that broadens persistence and execution scope beyond connector setup.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The generated isolated-runner kit creates system users, writes executables into `/usr/local/bin`, and installs a passwordless sudoers policy. This is highly privileged host reconfiguration unrelated to analytics correlation, and if misused or compromised it can establish durable privilege boundaries and execution pathways on the system.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README states that the skill can automatically create GitHub issues or draft pull requests, but the warning about write-capable behavior is buried in later configuration details rather than prominently disclosed before setup and execution steps. In an agent skill context, this can lead users to grant repository access or run automation without fully understanding that the tool may create remote artifacts, causing unintended repository changes, spam, or workflow abuse.

Vague Triggers

Medium
Confidence
88% confidence
Finding
Using broad trigger phrases such as 'setup' can cause this skill to activate on ordinary user messages that were not intended to invoke a high-privilege workflow. In this skill, accidental invocation is more serious because activation can lead to package installs, secret-handling flows, and persistent system changes.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The startup protocol binds generic phrases like 'start', 'run', and 'kick off' to a workflow that includes dependency refresh, self-update, and wizard routing. Because these are common phrases in unrelated chats, the skill may seize control unexpectedly and initiate privileged operations without sufficiently specific user intent.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The config enables automatic issue creation and automatic creation whenever GitHub write access is available, without visible gating by event type, dry-run default, approval requirement, or restrictive conditions. In this skill context, the agent correlates multiple noisy external data sources and can write to GitHub, so false or manipulated signals could cause unwanted repository-state changes at scale.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The actions block clearly enables GitHub issue creation and auto-creation behavior, but the example provides no user-facing warning that running the skill can modify repository state. Because this is an agent skill likely to be adopted via configuration, the lack of explicit disclosure increases the chance of surprise writes, spammy issues, or trust-boundary violations in production repos.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.env_credential_access, suspicious.exposed_secret_literal (+1 more)

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/export-analytics-summary.mjs:106

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/export-asc-summary.mjs:188

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/openclaw-growth-preflight.mjs:290

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/openclaw-growth-runner.mjs:330

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/openclaw-growth-start.mjs:429

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/openclaw-growth-status.mjs:121

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/openclaw-growth-wizard.mjs:1950

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
tests/asc-exporter-cache.test.mjs:82

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
tests/bootstrap-heartbeat.test.mjs:12

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
tests/connector-health-cadence.test.mjs:315

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
tests/install-analyticscli-cli.test.mjs:54

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
tests/production-release-filter.test.mjs:65

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/discord-openclaw-bridge.mjs:65

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/export-asc-summary.mjs:50

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/export-coolify-summary.mjs:33

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/export-paddle-summary.mjs:51

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/export-revenuecat-summary.mjs:153

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/export-sentry-summary.mjs:29

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/export-seo-summary.mjs:70

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/openclaw-growth-engineer.mjs:1336

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/openclaw-growth-preflight.mjs:14

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/openclaw-growth-runner.mjs:295

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/openclaw-growth-start.mjs:16

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/openclaw-growth-status.mjs:35

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/openclaw-growth-wizard.mjs:19

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/export-asc-summary.mjs:299

Sensitive-looking file read is paired with a network send.

Warn
Code
suspicious.potential_exfiltration
Location
scripts/export-asc-summary.mjs:315

Sensitive-looking file read is paired with a network send.

Warn
Code
suspicious.potential_exfiltration
Location
scripts/openclaw-growth-preflight.mjs:556

Sensitive-looking file read is paired with a network send.

Warn
Code
suspicious.potential_exfiltration
Location
scripts/openclaw-growth-start.mjs:509

Sensitive-looking file read is paired with a network send.

Warn
Code
suspicious.potential_exfiltration
Location
scripts/openclaw-growth-status.mjs:239