Ops Framework

Security checks across malware telemetry and agentic risk

Overview

This is a powerful but plainly disclosed local ops monitor that runs user-configured jobs, stores local state, and can send Telegram alerts as part of its stated purpose.

Install only if you trust and review every command in ops-jobs.json. Keep that config writable only by trusted users, leave autoResume disabled unless needed, prefer read_only jobs, confirm the Telegram destination, avoid putting secrets in status output, and remove any OS scheduler entry when monitoring is no longer wanted.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (7)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: def run_cmd(argv: list[str], *, cwd: Path, timeout_seconds: int) -> CmdResult: t0 = time.time() proc = subprocess.run( # noqa: S603 argv, cwd=str(cwd), capture_output=True,
Confidence: 92% confidence
Finding: proc = subprocess.run( # noqa: S603 argv, cwd=str(cwd), capture_output=True, text=True, timeout=int(timeout_seconds), check=False, )

subprocess module call

Medium

Category: Dangerous Code Execution
Content: if not argv: # Non-long-running jobs may not define status. Treat as not running. return JobStatus(running=False, completed=False, message="missing status command") proc = subprocess.run( # noqa: S603 argv, cwd=str(job.cwd), capture_output=True,
Confidence: 90% confidence
Finding: proc = subprocess.run( # noqa: S603 argv, cwd=str(job.cwd), capture_output=True, text=True, timeout=timeout_seconds, check=False, )

subprocess module call

Medium

Category: Dangerous Code Execution
Content: return "AUTORUN: would start (dry-run)" try: proc = subprocess.run( # noqa: S603 argv, cwd=str(job.cwd), capture_output=True,
Confidence: 93% confidence
Finding: proc = subprocess.run( # noqa: S603 argv, cwd=str(job.cwd), capture_output=True, text=True, timeout=60, check=False,

Lp3

Medium

Category: MCP Least Privilege
Confidence: 95% confidence
Finding: The skill advertises and relies on powerful capabilities including shell execution, filesystem access, environment access, network egress, and state writes, but the manifest shown in SKILL.md does not declare permissions or present a least-privilege boundary. That creates a transparency and consent problem: users may install or run the skill without understanding that it can execute local commands, persist state, and send data externally to Telegram.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill description states that it sends progress and alerts to Telegram or via the Telegram HTTP API, but it does not give a prominent user warning about outbound transmission of potentially sensitive status, messages, and metadata. In an ops context, job output can include hostnames, internal service health, paths, identifiers, and failure details, so silent or under-emphasized exfiltration to a third-party service is risky.

Autonomous Decision Making

Medium

Category: Excessive Agency
Content: - `long_running_read` - `one_shot_read` - `one_shot_write` (**never auto-executed by ops-monitor**) `risk` is one of:
Confidence: 73% confidence
Finding: auto-execute

Session Persistence

Medium

Category: Rogue Agent
Content: description: >- A 0-token jobs + monitoring framework for OpenClaw: run long-running read tasks via scripts, checkpoint/resume safely, and send periodic progress + immediate alerts to Telegram. Write jobs are blocked by default and must be explicitly approved and verified. version: 0.1.0 author: Zjianru
Confidence: 83% confidence
Finding: Write jobs are blocked by default and must be explicitly approved and verified. version: 0.1.0 author: Zjianru license: MIT compatibility: >- Requires Python 3.10+ on the gateway host. Uses `openc

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal