Back to skill

Security audit

OpenClaw Self-Improvement

Security checks across malware telemetry and agentic risk

Overview

This skill is a local, user-invoked workflow-improvement helper that writes logs, scorecards, recovery tickets, and optional reviewed agent rules without evidence of network, install-time, deceptive, or destructive behavior.

Install this only if you want local workflow-learning files and optional updates to agent operating-rule files. Use --dry-run before promotion, confirm WORKSPACE and OBSIDIAN_LEARNINGS_DIR point only to locations you intend to modify, and review any text before appending it to AGENTS.md, TOOLS.md, or SOUL.md.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The skill documentation says recovery tickets will be written under `mission-control/data/recovery-tickets-v3/YYYY-MM-DD/`, but that path is not listed in the manifest's allowed `writes`. This creates a capability/documentation mismatch: an operator or runtime may assume the write is permitted and proceed, causing unauthorized file modification attempts, policy bypass pressure, or failures that undermine auditability and safety controls.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The script allows writes to core operational files such as AGENTS.md, TOOLS.md, and SOUL.md based solely on a runtime argument. In this skill context, those files likely influence agent behavior and policy, so treating arbitrary input as appendable content can become a persistence or prompt-injection mechanism rather than mere learning export.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The README advertises promotion into local files and an Obsidian vault, which means the skill can write into user-controlled content stores. Without a prominent warning, path restrictions, and explicit consent requirements, operators may unintentionally let the skill modify sensitive notes, workflow rules, or repository documentation, creating integrity and prompt-injection persistence risks.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The script appends user-provided text directly into workspace files without sanitization, confirmation, or provenance controls. Because some targets are high-trust instruction files, an attacker or compromised upstream process could inject behavior-changing content that persists across future runs.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.