Skill Factory

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent skill-building workflow, but it gives agents broad authority to create, sync, and publish skills with activation and approval boundaries that are too loose.

Install only if you want an agent to help create and maintain OpenClaw skills. Use explicit commands, review the resolved target path and generated plan, and require separate confirmation before web access, file writes, force sync, git push/tag, ClawHub publish, or recurring automation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (20)

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The trigger text is very broad and reads like a natural-language command pattern that could activate on loosely related user requests. In a skill that performs multi-phase automation and creates repos/files, ambiguous invocation increases the risk of unintended execution and downstream workspace or repository changes without sufficiently explicit user intent.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The upgrade command is similarly underspecified, and the use of free-form skill name/path plus change request can overlap with ordinary maintenance conversations. Because the documented workflow includes inspecting repos, changing files, bumping versions, and updating changelogs, accidental activation could cause unintended modifications to existing skill repositories.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The README highlights automated publishing behavior, repo creation, syncing, and upgrade application, but does not clearly warn users that local workspace and repository state may be modified. In a meta-skill whose purpose is to generate and update other skills, insufficient disclosure increases the chance users invoke it without understanding the scope of writes it may perform.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The README advertises very broad trigger phrases and free-form examples without clear activation boundaries, exclusions, or confirmation requirements. In a meta-skill that can initiate a multi-step build pipeline, this increases the chance of accidental invocation and unintended downstream actions such as collecting sources or preparing artifacts from ambiguous user input.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The document describes fetching external webpages, creating repositories, and syncing to the local workspace, but it does not clearly warn that these are network and filesystem-affecting operations. For a skill factory that automates packaging and publishing steps, lack of explicit disclosure and consent can lead users to trigger actions with side effects they did not anticipate.

Vague Triggers

High

Confidence: 92% confidence
Finding: The SOP explicitly encourages broad trigger coverage for 'all possible user phrasings,' which increases the chance the skill activates on incidental or ambiguous user text. In a skill that can create repositories, write files, and initiate research workflows, over-broad invocation materially raises the risk of unintended actions without clear user intent.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: Allowing workflow initiation from highly ambiguous inputs like a URL, keywords, or a vague one-liner means the skill may begin processing before the user's intent is sufficiently established. Because Phase 0 immediately records data and starts generating artifacts, ambiguous invocation can cause unintended state changes and collection of irrelevant or sensitive content.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The documented 'fastest way' encourages immediate execution from a generic phrase and says the process starts without needing more information. In this context, that reduces friction for accidental activation and bypasses important disambiguation before network fetches, filesystem writes, and repository creation occur.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The SOP directs the agent to create directories, initialize a git repository, commit files, synchronize into a live skills directory, and update an index, but provides no requirement to warn the user or obtain consent for these filesystem changes. This is dangerous because it enables persistent local modifications and installation-like behavior that may surprise users or alter their environment without informed approval.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The SOP mandates automatic web fetching and searching, including self-directed source discovery, without any user-facing disclosure about outbound network access, data sharing, or retention of fetched content. This creates privacy and compliance risk, especially if user-provided ideas, URLs, or internal references are transmitted or stored unexpectedly.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The skill advertises a very broad set of natural-language triggers for creating or updating skills, including common phrasings that could be invoked unintentionally during ordinary conversation. In a meta-skill that can initiate repo creation, file writes, web access, and publishing workflows, accidental activation materially increases the chance of unintended side effects.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The guidance says to start with 'something like' and states that no more information is needed to start, which makes activation boundaries fuzzy and encourages the agent to proceed from loosely matching user text. For a skill that can perform multi-step workflows with persistence and external actions, ambiguous invocation increases the risk of unconsented execution.

Vague Triggers

Medium

Confidence: 96% confidence
Finding: The quality checklist explicitly rewards broad trigger coverage, which institutionalizes overbroad matching rather than minimizing unintended invocation. Because this skill can bootstrap other skills and drive filesystem, network, and publishing actions, broad triggers compound downstream risk.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: Requiring broad trigger phrases in the published description propagates unsafe activation design into distributed artifacts and encourages future skills to be easy to trigger accidentally. In a publishing pipeline, this can scale the risk beyond the local environment to any downstream user of the skill.

Vague Triggers

High

Confidence: 98% confidence
Finding: The upgrade triggers include vague non-explicit conditions such as detecting a gap during task execution, which authorizes self-initiated upgrade behavior without a direct user request. That creates a path for autonomous state changes to skills and repositories based on heuristic interpretation rather than explicit consent.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill instructs saving files to inbox and generating artifacts in wip directories without any overwrite, path-safety, or approval warning. In practice, this can lead to unintended local modifications, collisions with existing files, or writes to sensitive paths if the skill name or path is not constrained.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The workflow directs automated web_fetch and web_search activity without warning the user that network access may occur or that provided URLs and queries may expose project intent to third parties. This is especially risky in enterprise or private-development contexts where source discovery itself may be sensitive.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The publishing workflow includes git push, tagging, and clawhub publish commands without a strong safety boundary or explicit confirmation before remote side effects occur. These actions can disclose code publicly, create irreversible release artifacts, and affect external distribution systems if triggered prematurely or accidentally.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The forceful Copy-Item sync command uses recursive overwrite semantics against the local skills directory and is presented without warning about replacing destination files. That can clobber local customizations, overwrite working versions, or propagate bad state into the live skill workspace.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The apply phase directs file edits, version bumps, commits, tags, and resync actions without an explicit warning that both local and remote state will change. In combination with this skill's upgrade role, that creates a substantial risk of unauthorized modifications being persisted and published under the guise of routine maintenance.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal