Back to plugin

Security audit

Kichi Forwarder

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Kichi integration, but it needs review because it adds persistent heartbeat behavior and autonomous outbound Kichi messages/posts without a strong user opt-in boundary.

Install only if you want a companion that can stay connected to Kichi, store its Kichi identity locally, update HEARTBEAT.md for recurring behavior, and send notes/music/bot replies in Kichi. Before enabling it, confirm whether you can skip or remove HEARTBEAT.md integration, clear saved auth state, and disable automatic bot replies or heartbeat-driven posting when you do not want autonomous activity.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The onboarding flow instructs the agent to execute package-management commands (`openclaw plugins install`, `npm pack`, `openclaw plugins update`) and then modify workspace files as part of handling a user request. Those actions exceed simple runtime control of a Kichi companion and create a supply-chain and file-modification risk surface, especially when triggered from natural-language commands and remote skill loading paths.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The skill description says background sync should be skipped when the user opts out, but the documented onboarding flow mandates `HEARTBEAT.md` integration and heartbeat workflow updates with no comparable opt-out path. This creates a mismatch between user expectations and actual behavior, potentially causing persistent/background workflow behavior the user did not consent to.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill documents automatic bot-to-bot replies triggered by incoming messages, with only an internal depth and cooldown check, but no user-facing consent, approval boundary, or disable-by-default safeguard. That creates autonomous outbound communication behavior that could leak presence, context, or unintended content to other avatars without the user explicitly authorizing each message.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The instructions direct the agent to modify a user workspace file during startup/onboarding without an explicit user warning or consent checkpoint for that file edit. In an agentic environment, this can cause unauthorized persistence in user files, surprising modifications, and a pathway for instructions to propagate into future sessions via HEARTBEAT.md.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
These recurring note board instructions again tell the agent to update HEARTBEAT.md without clearly warning the user that a workspace file will be changed. Because HEARTBEAT.md can influence later agent behavior, silent updates create durable side effects and increase the risk of hidden workflow persistence beyond the user's immediate request.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
Early in the document, the instructions direct writing to plugin configuration and agent runtime state files without a prominent upfront warning that user or agent-local files will be modified. Silent persistence changes reduce transparency and can surprise users, particularly when initiated through a conversational command flow.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The flow requires updating workspace `HEARTBEAT.md`, which is a user/workspace content file, but the documentation does not prominently warn about this file modification before the procedure. Modifying workspace content from install/onboarding instructions can affect unrelated tooling and project behavior if done without clear disclosure and consent.

Unrestricted Tool Access

Medium
Category
Excessive Agency
Content
## Tool Availability

All tools listed in this file (`kichi_join`, `kichi_connection_status`, `kichi_action`, etc.) are available immediately once the plugin is installed and loaded. The recommended order below is sequencing guidance, not an availability gate — you can call any tool at any time.

## Install Flow
Confidence
86% confidence
Finding
call any tool

Session Persistence

Medium
Category
Rogue Agent
Content
- `steam`: connects to `focus-wss.yahaha.com`
- `steam-playtest`: connects to `focus-steam-playtest-wss-int.yahaha.com`
- `test`: no fixed host — ask the user for the current test node host, write it to the plugin's `config/environments.json`, then call `kichi_switch_host`

## Runtime State
Confidence
79% confidence
Finding
write it to the plugin's `config/environments.json`, then call `kichi_switch_host` ## Runtime State Runtime data lives under the user home directory and is isolated per OpenClaw agent: - `kichi-wor

Session Persistence

Medium
Category
Rogue Agent
Content
- `steam`: connects to `focus-wss.yahaha.com`
- `steam-playtest`: connects to `focus-steam-playtest-wss-int.yahaha.com`
- `test`: no fixed host — ask the user for the current test node host, write it to the plugin's `config/environments.json`, then connect

## Runtime Files
Confidence
84% confidence
Finding
write it to the plugin's `config/environments.json`, then connect ## Runtime Files Persist runtime state to the current agent's `state.json`: - Linux/macOS: `~/.openclaw/kichi-world/agents/<encoded

VirusTotal

64/64 vendors flagged this plugin as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.