Security audit

Thenvoi - Multi-Agent Chat

Security checks across malware telemetry and agentic risk

Overview

The skill is a disclosed Thenvoi chat-channel integration with expected credentials and messaging permissions, and the submitted artifact contains no hidden executable behavior.

Install this only if you want your OpenClaw agent connected to Thenvoi. Keep the API key out of chats, prompts, context, and logs; review Thenvoi privacy and retention settings; limit room and participant permissions where possible; and avoid sending secrets or sensitive operational data through chatrooms.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill enables a third-party messaging channel that will automatically send and receive conversation content, but the documentation does not clearly warn users about that data-flow and trust-boundary change. This can lead operators to connect the plugin without understanding that prompts, responses, metadata, and possibly sensitive operational context may be exposed to an external platform.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.