Security audit

Model Registry Manager

Security checks across malware telemetry and agentic risk

Overview

This skill matches its model-registry purpose, but it can repeatedly rewrite OpenClaw configuration, use provider API keys, restart the gateway, and store local learnings without enough user control.

Install only if you are comfortable giving the skill access to OpenClaw provider credentials and authority to update ~/.openclaw/openclaw.json. Run the sync in dry-run mode first, back up the config, review removed models before applying changes, avoid enabling the recurring --restart job until you have validated behavior in your environment, and disable or require approval for .learnings writes if the workspace may contain sensitive information.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (6)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 81% confidence
Finding: The skill clearly directs the agent to fetch upstream `/models` data, probe remote models, and manage scheduled jobs, which implies network access and likely environment/config access, yet no explicit permissions or safety boundaries are declared in the skill file. This increases the chance that an operator or agent executes a capability-rich workflow without clear authorization, review, or sandbox expectations.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The instruction to automatically persist 'reusable operational knowledge' and user corrections into `.learnings/` expands the skill beyond model-registry sync into unsolicited repository modification and long-term memory capture. This creates a path for storing sensitive interaction data, operator mistakes, or adversarial prompt content in a persistent location that may later influence behavior or leak information.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill instructs the agent to write operational notes and user-derived corrections into `.learnings/` by default without warning that repository files will be modified. Silent file creation or modification can surprise operators, persist tainted content, and create an unauthorized audit or privacy issue in source control.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The script overwrites the main OpenClaw configuration file in place after processing remote provider data, with no backup, locking, validation guard, or confirmation step. In this skill context, the script is intended to synchronize registry state, but because it trusts network-derived model metadata and rewrites a central config, a bad provider response, misconfiguration, or accidental invocation can corrupt service configuration or remove valid models, causing denial of service or operational disruption.

Missing User Warnings

Medium

Confidence: 81% confidence
Finding: The script can restart the OpenClaw gateway automatically immediately after writing configuration, which amplifies the effect of any bad sync result into immediate service interruption. Although the restart requires `--restart` and uses a fixed command, in the context of a config-mutating automation tool this creates a risky one-step path from remote provider data to production-impacting restart without additional safeguards.

Ssd 3

Medium

Confidence: 96% confidence
Finding: Persisting user-provided corrections and interaction-derived information by default creates a durable storage channel for potentially sensitive, proprietary, or adversarially injected content. In skill context, this is more dangerous because the archive is positioned as a normal operating procedure, making accidental retention and future prompt/context contamination likely.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal