Blocket Watcher - Sweden

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed local Blocket listing watcher that can run on a user timer and send matching results to a configured Telegram target.

Install only if you want a scheduled local Blocket watcher. Review config.json before enabling it, keep your Telegram chat ID and search terms private, verify the blocket and openclaw binaries are from trusted sources, and test with dry-run before enabling the timer.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill documentation indicates shell execution, file reads/writes, environment-variable use, and scheduled operation, but it declares no permissions. That creates a transparency and review gap: users may install a skill that can execute commands and persist local state without an explicit capability declaration. In this context the behavior appears aligned with the skill’s purpose, but undeclared capabilities still increase the chance of unsafe deployment and weaken least-privilege controls.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal