OS Activity

Security checks across malware telemetry and agentic risk

Overview

This skill matches its OS-activity purpose, but it can expose sensitive local activity such as file paths and process command lines without enough privacy controls.

Install only if you are comfortable letting OpenClaw inspect recent file paths, accessed folders, installed software, and running-process details. Avoid the process listing when command lines may contain tokens or passwords, review output before sharing it with an agent, and prefer adding filters or redaction before routine use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill invokes Python scripts that install tooling, inspect recent files and directories, enumerate installed software, and list running processes, but it declares no permissions or equivalent user-facing capability warnings. This under-disclosure is dangerous because it hides broad host access and surveillance-like behavior behind a benign personalization description, preventing informed consent and proper policy enforcement.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The documented purpose suggests simple personalization, but the described behavior includes downloading and installing software, collecting detailed process metadata, reading recent file and directory activity, and inventorying installed programs. This mismatch is dangerous because users may authorize the skill expecting low-risk customization while it performs significantly more invasive host inspection and system modification than implied.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The script enumerates all running processes and exposes detailed metadata including executable paths, parent relationships, start times, and command lines. In the context of a skill described only as learning operating system activity, this is broader and more privacy-invasive than users would reasonably expect, and it can reveal sensitive applications, internal tooling, and secrets embedded in process arguments.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: Collecting command-line arguments and current working directories is especially sensitive because these fields frequently contain credentials, tokens, file paths, project names, and other confidential operational data. Exposing them verbatim creates a real risk of credential leakage and privacy compromise, especially if the output is logged, transmitted, or consumed by another agent component.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The README explicitly states that the skill can read and learn from a user's operating system activity, but it provides no warning about the sensitivity of that data, what will be collected, how consent is obtained, or how the information is stored and used. In a personalization skill, this omission is security- and privacy-relevant because users may invoke it without understanding that broad local activity data could be accessed and retained.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill explicitly collects OS activity such as recently edited files, recent directories, running processes, and installed applications, yet it provides no privacy warning, sensitivity notice, retention policy, or sharing boundary. This is dangerous because these artifacts can reveal highly sensitive user behavior, project names, file paths, software usage, and potentially secrets embedded in command lines.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The code performs sensitive process enumeration without any meaningful runtime notice, consent flow, or granular explanation of what will be exposed. Because the output includes detailed per-process metadata, users may unknowingly reveal secrets and private activity simply by enabling a broadly described OS-activity skill.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The script collects and prints a list of recently edited files, including full paths and timestamps, which can reveal sensitive user behavior, project names, document titles, and locations of confidential files. In the context of an 'os-activity' skill designed to learn operating system activity, this data collection is directly aligned with user profiling and is more dangerous because there is no explicit notice, consent flow, minimization, or output redaction.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal