Sophie Optimizer

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it can delete the main OpenClaw session files and restart the gateway without enforcing its stated safety threshold.

Install only if you intentionally want a local maintenance script that can rewrite OpenClaw memory, archive summaries, delete main session history, and restart the gateway. Do not schedule it or use --reset until you add an enforced token threshold, confirmation or manual approval, backups, and a retention policy for archived summaries.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (6)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: # Use nohup to allow the script to survive if the parent dies, # though systemctl restart might handle it. subprocess.Popen(["/bin/bash", RESET_SCRIPT], start_new_session=True) if __name__ == "__main__": main()
Confidence: 95% confidence
Finding: subprocess.Popen(["/bin/bash", RESET_SCRIPT], start_new_session=True)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill declares no permissions even though its documented behavior clearly implies file reads, file writes, and shell execution. This is dangerous because operators and policy engines cannot accurately assess or constrain the skill before running it, increasing the chance of unintended destructive actions in a privileged environment.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 97% confidence
Finding: The documented purpose understates materially risky behavior: deleting session data, sending messages via CLI, and restarting a service are destructive and control-plane actions, not routine context maintenance. The mismatch is dangerous because users may execute the skill expecting benign optimization while it performs irreversible resets and service disruption, especially if token monitoring is not actually enforced internally.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The skill description frames the code as memory and token management, but the implementation can execute a reset script that affects the broader session environment. That mismatch is dangerous because it grants destructive or high-impact behavior under the guise of benign maintenance, reducing user scrutiny and increasing the chance of unauthorized disruption.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill description discusses hard reset behavior as routine maintenance but does not clearly warn that it may wipe session storage and disrupt active operations. In this context, the omission increases danger because the skill targets the main session and is intended for automated execution, making accidental data loss more likely.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The usage instructions tell users to run the optimizer directly, including via cron or heartbeat, without any safety guidance for a script that updates memory and triggers reset operations. This is dangerous because automation magnifies the impact of mistakes, allowing repeated data deletion or service restarts without human review.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal