Security audit

Experience Manager

Security checks across malware telemetry and agentic risk

Overview

This skill appears legitimate, but it can read private agent memory and permanently change agent behavior from unverified local or remote packages.

Install only if you are comfortable letting this skill read OpenClaw memory/configuration and modify persistent agent instruction files. Use dry-run, review package contents before learning or publishing, avoid --yes for untrusted packages, do not learn packages from unknown URLs, and avoid --agent unless you administer that target agent.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (9)

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The script reads broad workspace memory and agent configuration files unrelated to the user-supplied description, then uses that content to shape the generated package. This creates unnecessary data exposure and over-collection risk because sensitive memory, rules, or internal context may be incorporated into package metadata or previews without explicit consent.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The script inventories global, workspace, and agent-specific skills to infer dependencies, exposing local environment structure beyond what is needed for basic package creation. In a multi-agent or shared environment, this can leak installed capability names and agent-specific tooling, which may reveal sensitive operational details.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The script accepts arbitrary HTTP/HTTPS URLs and downloads a ZIP from any host, then extracts and learns from its contents without restricting origin, validating integrity, or authenticating the package source. In this skill's context, the downloaded content is directly used to append attacker-controlled text into SOUL.md/AGENTS.md/TOOLS.md, making this an unsafe remote content ingestion path that can poison agent behavior or import malicious instructions.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The --agent option lets the caller retarget modifications into another agent's workspace under AGENTS_DIR instead of the current workspace. Because this script appends learned content into control files that influence agent behavior, this broadens the blast radius from self-modification to cross-agent modification and can be abused to tamper with other agents if the caller has filesystem access.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The README explicitly instructs users to inspect local memory and session-history files under ~/.openclaw to mine past conversations and errors, but it provides no warning about sensitive data, consent, minimization, or access controls. Those files can contain private user content, credentials, internal prompts, or other confidential operational data, so normalizing their review and repackaging increases the risk of privacy leakage and secondary disclosure.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The README encourages publishing packages to a hub and downloading/learning packages from external sources without warning about trust, provenance, malicious content, or unintentional data sharing. In this skill's context, learned packages appear to modify agent knowledge files (for example SOUL.md and AGENTS.md), so untrusted packages could poison agent behavior or spread sensitive internal experience broadly.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill includes a publish workflow that uploads a local ZIP file to a remote service, but the documentation does not warn users that package contents may contain sensitive local data or recommend reviewing the archive before transmission. In this skill’s context, experience packages can include references and learned knowledge artifacts, so accidental disclosure of proprietary or private information is a realistic risk.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script previews related historical memory content to the console without prior warning or confirmation, which can disclose sensitive operational or personal data to whoever can view logs or terminal output. Because the tool automatically searches recent memory files, users may not realize private context will be surfaced during routine package creation.

Missing User Warnings

Low

Confidence: 83% confidence
Finding: The script silently inspects local SOUL.md, AGENTS.md, and TOOLS.md files, which may contain sensitive internal policies, workflows, or tool constraints. Even if only summarized counts are printed here, the content influences dependency inference and could later be incorporated into generated references or outputs without informed user consent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.