Back to skill

Security audit

Dynamic Island

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real OpenClaw macOS status widget, but it handles sensitive agent conversation snippets with weak local access controls.

Review before installing. Use this only on a trusted Mac, because it reads OpenClaw session files and can show recent conversation snippets. Prefer a version that adds a local auth token or Origin checks, escapes displayed message/config text, limits URL opening to expected Feishu/Lark schemes, pins dependencies, and clearly labels the optional login-start LaunchAgent behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger list includes several generic phrases such as "dynamic island", "agent状态", and "打开灵动岛" without clear scoping to this specific skill or explicit confirmation requirements. In an agent ecosystem, broad triggers can cause accidental or unintended activation, which may start local scripts or services when the user meant something else.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The usage guidance says to activate the skill with phrases like "启动灵动岛" or "打开 dynamic island," which are ambiguous natural-language commands that could easily appear in ordinary conversation. Because the skill installs or launches local components, ambiguous invocation increases the risk of unintended execution rather than a purely cosmetic UI action.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The app accepts an arbitrary string from web content via the WKScriptMessageHandler and passes it directly to NSWorkspace.shared.open(url). Because the web view loads content from a local HTTP server rather than bundled trusted content, any compromised or malicious page served on that port can trigger external URL launches, including potentially dangerous schemes such as file:, custom app schemes, or phishing pages, without user confirmation.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document instructs users to create and load a LaunchAgent plist in ~/Library/LaunchAgents, which establishes login-time persistence and modifies user startup behavior. While presented as an optional convenience feature, the commands directly write and load a persistent agent without any warning about persistence, review of the plist contents, or safety implications.

Session Persistence

Medium
Category
Rogue Agent
Content
终端执行两行命令:

```bash
sed "s|__INSTALL_DIR__|$(pwd)|g" com.openclaw.face.plist > ~/Library/LaunchAgents/com.openclaw.face.plist
launchctl load ~/Library/LaunchAgents/com.openclaw.face.plist
```
Confidence
95% confidence
Finding
plist

Session Persistence

Medium
Category
Rogue Agent
Content
终端执行两行命令:

```bash
sed "s|__INSTALL_DIR__|$(pwd)|g" com.openclaw.face.plist > ~/Library/LaunchAgents/com.openclaw.face.plist
launchctl load ~/Library/LaunchAgents/com.openclaw.face.plist
```
Confidence
95% confidence
Finding
plist

Session Persistence

Medium
Category
Rogue Agent
Content
```bash
sed "s|__INSTALL_DIR__|$(pwd)|g" com.openclaw.face.plist > ~/Library/LaunchAgents/com.openclaw.face.plist
launchctl load ~/Library/LaunchAgents/com.openclaw.face.plist
```

以后每次开机,灵动岛自动出现。
Confidence
96% confidence
Finding
launchctl load

Session Persistence

Medium
Category
Rogue Agent
Content
```bash
sed "s|__INSTALL_DIR__|$(pwd)|g" com.openclaw.face.plist > ~/Library/LaunchAgents/com.openclaw.face.plist
launchctl load ~/Library/LaunchAgents/com.openclaw.face.plist
```

以后每次开机,灵动岛自动出现。
Confidence
96% confidence
Finding
plist

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.