Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 70% confidence
- Finding
- Without declared permissions the skill's intent is opaque and cannot be validated.
Skill Agent Broadcast
Security checks across malware telemetry and agentic risk
Overview
This skill is a real broadcast tool, but it can send messages to every configured group, including bundled chat IDs, without a confirmation step.
Install only if you intend to let this skill post through your OpenClaw gateway. Before using it, replace or clear the bundled group IDs, verify every target, avoid relying on the default all-groups behavior, and use a least-privilege gateway token limited to the intended send destinations.
SkillSpector
By NVIDIA
Vulnerability Patterns
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
- Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)
Missing User Warnings
Medium
- Confidence
- 88% confidence
- Finding
- This markdown file documents a mass-broadcast capability, including sending to `all` registered groups, but it does not warn users about the risk of unintended wide distribution or the operational impact of announcements sent across multiple sessions. Because the file is the user-facing skill description, the omission of any caution or confirmation guidance is a missing warning for a behavior that can affect communications and coordination across many groups.
VirusTotal
66/66 vendors flagged this skill as clean.