Back to skill

Security audit

OpenClaw Skill Creator (yejay7)

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only skill for creating properly formatted OpenClaw skills, with disclosed local file creation and optional publishing steps.

Before using it, confirm the local OpenClaw skills path is correct, review the files it creates or updates, and only run the optional login or publish commands when you intentionally want to authenticate with ClawHub or publish a skill.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill explicitly states that a new skill will be created automatically under a local workspace path, which implies filesystem modification without any explicit consent, confirmation step, or warning about local changes. In an agent setting, guidance that normalizes automatic file creation can lead to unintended writes, overwrites, or persistence of unreviewed content in the user's environment.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.