Skill Sandbox

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed sandboxed installer, but it can promote or replace active skills without enforcing a verified clean scan first.

Install only if you are comfortable with a local shell script changing your active OpenClaw skills. Treat it as a triage helper, not a complete supply-chain security barrier: manually review staged skills before using --promote, avoid --force unless you understand the VirusTotal bypass, and use tightly scoped staging/live directories with backups for existing skills.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The script’s stated purpose is to quarantine and scan newly installed skills before promotion, but it exposes a `--promote` mode that moves a staged skill into the live directory without performing any scan or verifying a prior clean verdict. That creates a straightforward policy-bypass path where a malicious or unreviewed staged skill can be promoted directly, undermining the security boundary the skill claims to enforce.

Intent-Code Divergence

High

Confidence: 97% confidence
Finding: The usage text explicitly says promotion will 'skip scan', while the overall tool description presents promotion as part of a sandboxed security pipeline. This mismatch is dangerous because operators may trust the tool to enforce scanning and quarantine semantics when in fact the promote path bypasses them entirely.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal