Back to skill

Security audit

create skill

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only OpenClaw skill creator whose file and registry changes are disclosed and aligned with its purpose.

Before using it, review the generated SKILL.md, any optional JS or shell scripts, and any registry update before confirming. Keep the generated files scoped to the intended skill directory and inspect scripts before running them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger phrases are generic enough to match ordinary requests like '创建技能' or '新建技能', which can cause the skill to activate unintentionally. Because this skill can generate files and update a skill registry, accidental invocation could lead to unwanted project modifications or confusing agent behavior.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill describes a file-generation workflow and registry updates, but it does not prominently warn users up front that invoking it may modify the workspace. In an agentic environment, hidden side effects increase the risk of users authorizing actions they did not fully understand, resulting in unauthorized or accidental changes.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.