publish-knowledge-health-checker

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real local knowledge-base checker, but it needs Review because it can generate executable scripts that delete or bulk-edit files and its reports can expose local path details.

Install only if you are comfortable letting it read the selected knowledge-base folder. Treat generated HTML reports as private unless you remove local paths and filenames. Do not run generated auto-fix scripts without a backup and line-by-line review, especially rm and sed commands. Enable cron or Feishu/email output only after confirming the exact schedule and destination.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (9)

Context-Inappropriate Capability

Medium

Confidence: 86% confidence
Finding: The cron integration and outbound delivery to Feishu/email introduce persistence and data egress capabilities beyond a one-shot local health check. Even if intended for convenience, scheduled execution plus notifications can expose file names, metadata, or report contents over time without a narrowly scoped purpose or consent flow.

Context-Inappropriate Capability

Low

Confidence: 71% confidence
Finding: Automatically opening the generated report in a browser is an execution-side action that goes beyond passive file generation. While low severity, auto-launch behavior can surprise users, trigger unintended local application execution, and reduce user control over when and how generated content is rendered.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: This diagnostic skill goes beyond reporting and generates executable remediation scripts that delete files and rewrite content. In a knowledge-base context, incorrect classification of files as empty or broken-link replacements can cause irreversible data loss or widespread unintended edits, especially because the script is made executable automatically.

Description-Behavior Mismatch

Medium

Confidence: 87% confidence
Finding: The Python fixer similarly exceeds a pure checker role by preparing a backup-and-delete workflow derived from scan results. While deletion is commented out in the generated Python script, it still operationalizes destructive actions and may be easily uncommented or trusted by users without sufficiently reviewing the generated output.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The code creates executable shell scripts containing rm and sed -i commands based on scan data, which is a high-impact capability. Although file paths are shell-quoted, the replacement text for sed incorporates unescaped target and similar filenames, so crafted link names containing sed metacharacters or quotes can break the command or alter unintended content, in addition to enabling destructive bulk edits.

Context-Inappropriate Capability

Low

Confidence: 95% confidence
Finding: The report embeds a concrete absolute local filesystem path (/Users/mac/.openclaw/workspace/memory) directly in the generated HTML. This unnecessarily discloses host-specific environment information, which can aid reconnaissance, leak usernames and workspace structure, and may expose sensitive directory conventions if the report is shared outside the local machine.

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The file defines an HTML escaping helper and claims XSS prevention, but the main report template injects multiple unescaped values directly into HTML, including results['scan_path'] and several score/stat fields. If any of these fields can be influenced by scanned content or attacker-controlled metadata, opening the generated report in a browser could execute injected HTML/JavaScript in the local context.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill generates deletion and batch-modification scripts, including rm and sed examples, but does not provide a prominent overall warning about destructive file operations and rollback expectations. In a knowledge-base context this is especially risky because the target is a large recursive corpus, so mistakes or bad matching could cause irreversible loss or widespread unintended edits.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The test prompts use very broad natural-language phrases such as checking knowledge base health or analyzing network structure without any clear trigger boundaries, exclusions, or confirmation requirements. This can cause unintended activation of the skill on ambiguous user requests and may lead to unscoped repository scanning, report generation, or other high-impact operations beyond what the user explicitly intended.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal