Security audit

agentCreate

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly aligned with managing OpenClaw agents, but its full uninstall path can force-delete workspaces and directly edit local configuration containing channel credentials.

Install only if you want this skill to manage OpenClaw agents and channel bindings. Before using full uninstall, verify the exact agent ID, back up the workspace and openclaw.json, replace the hard-coded config path with your real path, and confirm the channel account is not shared. Treat appId/appSecret values as sensitive credentials and rotate them if they were exposed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (4)

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger list includes broad, ambiguous phrases such as "new bot" and "创建机器人", which can plausibly appear in ordinary conversation and cause unintended skill activation. In this skill, accidental activation is more dangerous than usual because the skill performs sensitive lifecycle operations like creating or uninstalling isolated agents, potentially leading to unauthorized provisioning, configuration changes, or destructive workflows being initiated.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill instructs operators to place channel credentials such as appId and appSecret into configuration, but provides no warning about secret sensitivity, storage protections, access control, or audit implications. In an agent skill context, this can lead to accidental credential exposure in shared configs, logs, backups, or screenshots, enabling unauthorized access to external messaging channels.

Missing User Warnings

Low

Confidence: 83% confidence
Finding: The skill directs creation of new agent workspaces and persistent configuration changes using non-interactive commands, but does not clearly warn the user that filesystem state and agent bindings will be modified. This increases the risk of unintended persistent changes, especially when run by an automated agent on behalf of a user without explicit confirmation.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The document provides irreversible uninstall and deletion steps, including forced agent deletion and direct modification of the user’s config file, but it does not require an explicit confirmation checkpoint or a clear warning about data loss before execution. In an agent skill context, these instructions are operational guidance that could be translated into actions by an automated assistant, making accidental or socially engineered destructive deletion materially more likely.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal