OpenClaw Regex Engine

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed regex helper that sends regex patterns and sample text to a remote MCP service, with no evidence of hidden persistence or destructive behavior.

Install this only if you are comfortable sending regex patterns and test text to the disclosed remote MCP service. Avoid pasting secrets, tokens, customer records, or private production documents into regex examples unless you trust the provider and its privacy claims.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The trigger list includes generic phrases like "regular expression," "pattern matching," and "capture groups," which are common in normal technical discussion and can cause the skill to activate when the user did not intend to invoke an external regex service. This increases the chance of unnecessary tool calls and unintended transmission of user-provided content to the MCP endpoint, especially in mixed conversations about code, security, or documentation.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal