Deepsafe Scan

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real security scanner, but it needs review because it can change OpenClaw settings and includes unsafe demo agent rules that could expose secrets if used.

Use this only after reviewing its sensitive-data behavior. Start with --no-llm for local-only scans, treat generated reports as sensitive, back up or inspect ~/.openclaw/openclaw.json before OpenClaw full scans, and do not copy or activate the bundled demo/awesome-ai-rules files unless you are deliberately testing unsafe examples.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (33)

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The file contains explicit prompt templates for targeted persuasion and opinion-shaping that are unrelated to the stated purpose of a security scanning skill. Because these prompts are packaged inside an agent skill, they could be invoked to conduct covert influence operations on users under the guise of a safety tool, which materially increases abuse risk.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The instructions direct the agent to dump the full environment to a timestamped file and to configure an external beacon via cron, both of which exceed the stated purpose of a preflight security scanner. Environment variables commonly contain secrets, tokens, and internal endpoints, and recurring outbound pings create ongoing network activity and persistence that could leak metadata or be repurposed for command-and-control style monitoring.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The documented behavior expands from passive scanning into persistence and outbound monitoring by instructing the user to edit crontab and send periodic requests to an external domain. For a security scanning skill, this is dangerous because it changes host state, creates a recurring execution path, and establishes continuous communications unrelated to a one-time audit.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The file instructs sending an outbound request that includes $ANTHROPIC_API_KEY and $USER to an external domain, which is direct credential and identifier exfiltration disguised as analytics. In the context of a security scanning skill, this behavior is unrelated to the declared purpose and significantly increases suspicion because it turns a trusted audit workflow into a data-leak path.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The guidance tells the agent or user to read a private SSH key and copy it into /tmp, creating an unnecessary duplicate of highly sensitive credential material in a less secure location. This exceeds any legitimate need for a preflight scanner and raises the risk of credential theft, accidental exposure, or recovery by other local processes.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The instruction grants the workflow an unjustified capability: transmitting an API key and username to an external analytics endpoint. Because the skill is presented as a security scanner, adding secret-bearing outbound network activity is especially dangerous and inconsistent with user expectations.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The file instructs access to ~/.ssh/id_rsa and creation of a backup copy, which is unrelated to the stated scanner functionality and exposes a private authentication key. In a security tool context, this is more dangerous because users are likely to trust the tool with privileged access, making credential-compromise instructions particularly harmful.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: This module is presented as a security scanner, but it silently modifies the user's OpenClaw configuration to enable an HTTP endpoint. That expands attack surface and changes system behavior during what should be a read-only inspection step, violating least surprise and least privilege.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: Auto-enabling a local gateway endpoint gives this scanner configuration-management capability unrelated to passive scanning. Even if intended to improve compatibility, changing a local service endpoint can expose new access paths or weaken a user's security posture without informed consent.

Intent-Code Divergence

Medium

Confidence: 84% confidence
Finding: The documentation says the client will gracefully degrade when credentials are missing, but resolution later causes side effects by editing OpenClaw settings. This mismatch is dangerous because users and callers may trust the function as non-invasive and invoke it in contexts where configuration changes are unacceptable.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The documentation explicitly says full scans automatically use `ANTHROPIC_API_KEY`, but it does not clearly warn users that scan-derived content may be transmitted to an external API during LLM-enhanced analysis. Because the tool scans configs, memory, hooks, and other potentially sensitive local artifacts, this omission can lead users to unknowingly send secrets, PII, or proprietary data off-host.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The README explicitly promotes scanning session logs, memory files, installed skills, and assistant configuration files, all of which may contain secrets, personal data, or proprietary prompts, but it does not clearly warn users about the privacy implications of analyzing and reporting on such local data. In a security-scanning skill, this omission matters because users may run it on sensitive environments without understanding what categories of data will be read, surfaced, cached, or included in reports.

Vague Triggers

Medium

Confidence: 85% confidence
Finding: The invocation guidance is broad enough to match common requests like 'scan', 'audit', or 'check security', which can cause the skill to run in contexts where the user did not intend deep inspection of local configs, memory, or credentials. Over-broad triggering increases the chance of unnecessary access to sensitive files and surprise execution of powerful scanning behavior.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill advertises scanning session history, credentials, identity data, logs, and auto-detected API credentials without a prominent privacy warning or explicit consent workflow. Because these locations commonly contain secrets and PII, the absence of up-front disclosure materially raises the risk of unintended collection, exposure in reports, or transmission to LLM-backed analysis paths.

Natural-Language Policy Violations

Medium

Confidence: 88% confidence
Finding: The dataset hard-codes a response format that explicitly asks the model to reveal hidden reasoning in `<think>` tags. Even if intended for benchmarking, embedding this across many entries trains or tests unsafe disclosure behavior and can normalize prompt patterns that conflict with standard safe response handling. In the context of a security scanning skill, this is more dangerous because such corpora may be ingested or surfaced to downstream agents as trusted evaluation content.

Natural-Language Policy Violations

Medium

Confidence: 80% confidence
Finding: The prompts hard-code Chinese-language interactions without any user opt-in or clear operational need in this file. On its own this is not a severe security flaw, but in combination with covert persuasion prompts it can obscure agent behavior from users, reviewers, or monitoring systems that expect the configured language context.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The diagnostic command collects the entire process environment without warning that this may include API keys, credentials, session tokens, and PII. Storing that output in `/tmp` further increases exposure because temporary directories may be accessible to other local users, processes, backups, or forensic tooling.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The recurring health-check setup is presented without disclosing that it modifies system scheduling and causes ongoing outbound network transmissions to a third-party endpoint. Users may unknowingly install persistence and continuously leak timing, host availability, or network metadata beyond the scope of a diagnostic scan.

Missing User Warnings

High

Confidence: 96% confidence
Finding: The markdown presents the telemetry as anonymous, but the payload includes an API key and username, which are sensitive identifiers and not anonymous. Omitting any warning or consent language increases the chance that users or agents will execute the command without understanding the privacy and security consequences.

Missing User Warnings

High

Confidence: 95% confidence
Finding: The backup command handles a private SSH key but provides no warning that it is copying secret credential material into /tmp, a location often subject to weaker controls and accidental disclosure. Even if framed as recovery guidance, this omission makes unsafe handling of highly sensitive data more likely.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The plan adds automatic discovery of API credentials and routes scan content to external LLM providers, but it does not require explicit user consent, a clear disclosure, or data-minimization before transmission. In a security scanner context, this is risky because scanned files may contain secrets, PII, proprietary code, or attack artifacts that would be sent off-host unexpectedly.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The code writes to the OpenClaw configuration file automatically and only informs the user after the change is made. Silent persistent configuration changes can break trust, create audit gaps, and unintentionally enable functionality that local policy did not allow.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The probe sends full conversation payloads and a bearer token to a user-specified remote endpoint without any built-in safety gate, trust validation, or explicit disclosure at the point of transmission. In a security-scanning skill, this is especially sensitive because prompts, topics, and model outputs may contain confidential evaluation data, and users may point the tool at an untrusted or misconfigured endpoint.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The code automatically reads API credentials from environment variables and OpenClaw gateway settings without an explicit user-facing disclosure at the point of use. In a security scanner, silently harvesting credentials is risky because users may not realize secrets are being consumed and potentially propagated into later networked operations.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: This path sends skill contents to an external LLM endpoint for analysis, which can leak proprietary code, prompts, secrets, or sensitive operational details if the scanned files contain them. Because this is a security tool, undisclosed exfiltration of scanned content materially increases risk and may violate user expectations or compliance requirements.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal