Back to skill

Security audit

Group Deduplicate

Security checks across malware telemetry and agentic risk

Overview

The skill is not malware, but it claims to search real groups while the included search code returns fabricated deterministic results, so users should review it before trusting outputs.

Install only if you understand this appears to be a prototype or demo: it caches data as documented, but it does not perform real group search. Do not rely on its returned groups as real discoveries unless the publisher replaces the mock search implementation and pins or validates the memory-cache helper path.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (17)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"""Get value from memory-cache."""
    try:
        workspace = os.getenv('WORKSPACE', '/Users/x/.openclaw/workspace')
        result = subprocess.run([
            'python3', 
            f'{workspace}/skills/memory-cache/scripts/cache_manager.py', 
            'get',
Confidence
93% confidence
Finding
result = subprocess.run([ 'python3', f'{workspace}/skills/memory-cache/scripts/cache_manager.py', 'get', cache_key ], capture_output=

subprocess module call

Medium
Category
Dangerous Code Execution
Content
cmd.extend(['--ttl', str(ttl_seconds)])
    
    try:
        subprocess.run(cmd, check=True, shell=False,
        env={**os.environ, 'WORKSPACE': workspace})
        return True
    except Exception:
Confidence
92% confidence
Finding
subprocess.run(cmd, check=True, shell=False, env={**os.environ, 'WORKSPACE': workspace})

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"""Delete key from memory-cache."""
    workspace = os.getenv('WORKSPACE', '/Users/x/.openclaw/workspace')
    try:
        subprocess.run([
            'python3', 
            f'{workspace}/skills/memory-cache/scripts/cache_manager.py', 
            'delete',
Confidence
92% confidence
Finding
subprocess.run([ 'python3', f'{workspace}/skills/memory-cache/scripts/cache_manager.py', 'delete', cache_key ], check=True, shell=Fal

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"""Scan for keys matching pattern in memory-cache."""
    workspace = os.getenv('WORKSPACE', '/Users/x/.openclaw/workspace')
    try:
        result = subprocess.run([
            'python3', 
            f'{workspace}/skills/memory-cache/scripts/cache_manager.py', 
            'scan',
Confidence
93% confidence
Finding
result = subprocess.run([ 'python3', f'{workspace}/skills/memory-cache/scripts/cache_manager.py', 'scan', pattern ], capture_output=T

subprocess module call

Medium
Category
Dangerous Code Execution
Content
try:
        workspace = os.getenv('WORKSPACE', '/Users/x/.openclaw/workspace')
        result = subprocess.run([
            'python3', 
            f'{workspace}/skills/memory-cache/scripts/cache_manager.py', 
            'get',
Confidence
91% confidence
Finding
result = subprocess.run([ 'python3', f'{workspace}/skills/memory-cache/scripts/cache_manager.py', 'get', cache_key ], capture_output=

subprocess module call

Medium
Category
Dangerous Code Execution
Content
try:
        workspace = os.getenv('WORKSPACE', '/Users/x/.openclaw/workspace')
        subprocess.run([
            'python3', 
            f'{workspace}/skills/memory-cache/scripts/cache_manager.py', 
            'set',
Confidence
92% confidence
Finding
subprocess.run([ 'python3', f'{workspace}/skills/memory-cache/scripts/cache_manager.py', 'set', cache_key, json.dumps({

Tainted flow: 'workspace' from os.getenv (line 32, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
"""Get value from memory-cache."""
    try:
        workspace = os.getenv('WORKSPACE', '/Users/x/.openclaw/workspace')
        result = subprocess.run([
            'python3', 
            f'{workspace}/skills/memory-cache/scripts/cache_manager.py', 
            'get',
Confidence
96% confidence
Finding
result = subprocess.run([ 'python3', f'{workspace}/skills/memory-cache/scripts/cache_manager.py', 'get', cache_key ], capture_output=

Tainted flow: 'cmd' from os.getenv (line 50, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
cmd.extend(['--ttl', str(ttl_seconds)])
    
    try:
        subprocess.run(cmd, check=True, shell=False,
        env={**os.environ, 'WORKSPACE': workspace})
        return True
    except Exception:
Confidence
95% confidence
Finding
subprocess.run(cmd, check=True, shell=False, env={**os.environ, 'WORKSPACE': workspace})

Tainted flow: 'workspace' from os.getenv (line 32, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
"""Delete key from memory-cache."""
    workspace = os.getenv('WORKSPACE', '/Users/x/.openclaw/workspace')
    try:
        subprocess.run([
            'python3', 
            f'{workspace}/skills/memory-cache/scripts/cache_manager.py', 
            'delete',
Confidence
95% confidence
Finding
subprocess.run([ 'python3', f'{workspace}/skills/memory-cache/scripts/cache_manager.py', 'delete', cache_key ], check=True, shell=Fal

Tainted flow: 'workspace' from os.getenv (line 32, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
"""Scan for keys matching pattern in memory-cache."""
    workspace = os.getenv('WORKSPACE', '/Users/x/.openclaw/workspace')
    try:
        result = subprocess.run([
            'python3', 
            f'{workspace}/skills/memory-cache/scripts/cache_manager.py', 
            'scan',
Confidence
96% confidence
Finding
result = subprocess.run([ 'python3', f'{workspace}/skills/memory-cache/scripts/cache_manager.py', 'scan', pattern ], capture_output=T

Tainted flow: 'workspace' from os.getenv (line 52, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
try:
        workspace = os.getenv('WORKSPACE', '/Users/x/.openclaw/workspace')
        result = subprocess.run([
            'python3', 
            f'{workspace}/skills/memory-cache/scripts/cache_manager.py', 
            'get',
Confidence
96% confidence
Finding
result = subprocess.run([ 'python3', f'{workspace}/skills/memory-cache/scripts/cache_manager.py', 'get', cache_key ], capture_output=

Tainted flow: 'workspace' from os.getenv (line 52, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
try:
        workspace = os.getenv('WORKSPACE', '/Users/x/.openclaw/workspace')
        subprocess.run([
            'python3', 
            f'{workspace}/skills/memory-cache/scripts/cache_manager.py', 
            'set',
Confidence
96% confidence
Finding
subprocess.run([ 'python3', f'{workspace}/skills/memory-cache/scripts/cache_manager.py', 'set', cache_key, json.dumps({

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill documentation exposes operational capabilities requiring environment access, network access, and shell execution, but it does not declare corresponding permissions. This creates a transparency and governance gap: users or orchestrators may invoke a skill with broader capabilities than expected, increasing the risk of unintended command execution, outbound requests, or secret exposure via environment variables.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented purpose is narrowly framed as external group search with deduplication, but the described behavior includes broader cache administration functions and, per the finding, the search behavior may be mock/deterministic rather than real. This mismatch is dangerous because operators may trust the skill to perform one bounded task while it can inspect, modify, or delete cached data and misrepresent the provenance or reality of returned results.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill executes another local Python script through subprocess using a path influenced by WORKSPACE, which is not clearly necessary for simple deduplication and materially expands capability into arbitrary local code loading. In this skill context, hidden execution of external scripts is more dangerous because users expect cache bookkeeping, not delegated code execution based on environment state.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill automatically persists discovered group identifiers and links in Redis for 30 days, but the description does not prominently warn users about this retention behavior. This can lead to unintentional storage of potentially sensitive community metadata, creating privacy, compliance, and data-governance risks if users assume searches are ephemeral.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill description does not clearly warn that searches may trigger outbound requests to third-party search engines and temporary use of session cookies. This is risky because users may unknowingly transmit queries, metadata, or authenticated browsing context to external services, which can expose internal research activity or user-associated session state.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.