Huo15 Openclaw Bootstrap

Security checks across malware telemetry and agentic risk

Overview

This onboarding skill is not clearly malicious, but it needs Review because it can copy shared memory, persist profile data outside the workspace, and modify workspace files under broad triggers.

Install only if you want this skill to rewrite OpenClaw workspace identity/profile files and you trust it with local memory data. Before use, check ~/.openclaw/workspace/MEMORY.md for secrets, explicitly decline or remove the L3 backup behavior if you do not want cross-workspace profile storage, and invoke it only in workspaces where modifying SOUL.md, IDENTITY.md, USER.md, TOOLS.md, AGENTS.md, MEMORY.md, and BOOTSTRAP.md is acceptable.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (17)

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The README explicitly describes copying profile data into a cross-workspace path under ~/knowledge/huo15/profile for reuse across workspaces and devices. That exceeds the stated per-workspace onboarding scope and can unintentionally persist personal/contextual data in a broader location, increasing privacy and data exposure risk if users do not clearly understand or consent to that behavior.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The skill is presented as workspace onboarding, but it also reads a global MEMORY.md from the user's home directory and copies or appends it into the current workspace. That expands scope from local initialization to cross-workspace data propagation, which can expose sensitive shared memory such as organizational details, secrets, or credentials to a workspace that did not explicitly request them.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The skill description says it initializes the current workspace by creating onboarding files, but it also writes an external backup under ~/knowledge/huo15/profile. This hidden extra write broadens the skill's side effects beyond the workspace and can leak profile data into a persistent location the user did not expect.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: Reading and merging a home-directory MEMORY.md is not necessary for a workspace bootstrap skill and gives it access to unrelated persistent data. Because the content may include company structure, credentials, or other sensitive context, merging it into the workspace creates an unjustified data exposure channel.

Context-Inappropriate Capability

Low

Confidence: 83% confidence
Finding: Writing a profile backup to ~/knowledge/huo15/profile is outside the stated workspace-initialization scope, making the capability context-inappropriate. While less severe than secret copying, it still creates unexpected persistence of user profile information in another directory.

Vague Triggers

High

Confidence: 95% confidence
Finding: The trigger list includes generic greetings and common phrases such as initialization-related everyday speech, making accidental activation likely during normal conversation. In this skill's context, activation can lead to file writes and state changes, so broad triggers materially increase the chance of unintended modifications.

Vague Triggers

High

Confidence: 96% confidence
Finding: The usage section tells users to invoke the skill with vague phrases like '你好' and 'hello world', which are common conversational inputs rather than intentional administrative commands. Because the documented behavior includes writing multiple files and deleting BOOTSTRAP.md, this creates a meaningful risk of unintended execution and workspace modification.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The README advertises automatic creation of five files and deletion of BOOTSTRAP.md without clearly foregrounding that the skill will modify workspace state. Users may trigger the skill without realizing it performs write/delete operations, undermining informed consent and increasing the chance of unwanted changes.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The optional L3 backup stores profile data outside the current workspace in a shared home-directory location but does not pair that behavior with a strong privacy warning or explicit consent mechanism. This can cause users to disclose identity, preferences, and environment metadata into a broader persistence layer than expected.

Vague Triggers

High

Confidence: 95% confidence
Finding: The trigger list includes broad everyday phrases such as '初始化', 'hello world', 'welcome', and similar onboarding-like greetings. This makes accidental activation likely, which is especially dangerous because the skill performs file creation, overwrite, backup, and deletion operations.

Vague Triggers

High

Confidence: 94% confidence
Finding: The documented trigger conditions rely on vague greetings and generic initialization terms without strong scope checks. In context, this is risky because the skill can modify workspace files and delete BOOTSTRAP.md, so accidental invocation can have lasting side effects.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The top-level description says the skill creates onboarding files but does not clearly warn that it may overwrite existing files, create backups, and delete BOOTSTRAP.md. Users may invoke it without understanding that it performs destructive or persistent file operations.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The skill instructs copying and appending shared global memory into the current workspace without a clear privacy warning or granular consent. Since the text explicitly mentions company organization and credentials as examples of shared memory, the risk of sensitive data disclosure is substantial.

Natural-Language Policy Violations

Medium

Confidence: 91% confidence
Finding: The preset hard-codes a behavioral rule that assigns `Asia/Shanghai` to all Chinese users by default unless they explicitly object. This creates a privacy and autonomy issue because it infers locale from nationality and can silently misconfigure time-sensitive behavior, especially for overseas Chinese users or users traveling across regions.

Ssd 3

Medium

Confidence: 91% confidence
Finding: The README describes retaining and syncing profile data across workspaces and devices in plain language, which semantically encourages broader data propagation than the local onboarding task requires. Even absent code, this is risky because it normalizes persistent replication of personal and environment data into locations users may not expect or secure appropriately.

Ssd 3

Medium

Confidence: 90% confidence
Finding: The skill collects and stores memory/privacy preferences, project directory information, and notification-channel details in profile files and changelogs. These fields can reveal sensitive personal and environment metadata, and documenting them as routine onboarding inputs increases the risk of oversharing and downstream exposure if those files are synced, committed, or read by other agents.

Ssd 3

High

Confidence: 99% confidence
Finding: This section explicitly directs copying and appending potentially sensitive global memory into the workspace, and the examples include company structure and credentials. That is a direct secret-propagation mechanism: once copied into the workspace, sensitive data can be exposed to unrelated tasks, other tools, sync systems, backups, or future prompts.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal