europe-anz市场政策查询Skill

Security checks across malware telemetry and agentic risk

Overview

This appears to be a simple policy-query skill with placeholder data and no hidden file, network, install-script, or persistence behavior.

Install only if you are comfortable with a low-maturity placeholder skill. Do not put real API keys into dataSources until you verify or modify the code, because the current implementation may echo configured data-source values in returned results and does not actually fetch live policy data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Known Vulnerable Dependency: openclaw==2026.4.0 — 10 advisory(ies): CVE-2026-41913 (OpenClaw: Concurrent async auth attempts can bypass the intended shared-secret r); CVE-2026-43526 (OpenClaw: QQBot reply media URL handling could trigger SSRF and re-upload fetche); CVE-2026-43530 (OpenClaw: busybox and toybox applet execution weakened exec approval binding) +7 more

High

Category: Supply Chain
Confidence: 90% confidence
Finding: openclaw==2026.4.0

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal