Security audit

Skill Usage Analyzer

Security checks across malware telemetry and agentic risk

Overview

This skill is a local documentation analyzer for OpenClaw skills, and the reviewed code matches that purpose without network exfiltration or hidden persistence.

Install only if you are comfortable with a local tool reading SKILL.md files across your OpenClaw skills directory and listing filenames in analyzed skill folders. Avoid pointing it at unrelated private directories if filename disclosure would matter.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The script is advertised as analyzing SKILL.md content, but it also enumerates the entire containing directory and reports sibling files and subdirectories. In a skill-execution context, this expands access from a single intended document to broader local metadata disclosure, which can reveal sensitive filenames, hidden implementation details, or adjacent assets not meant to be surfaced.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal