Back to skill

Security audit

虾游 WanderClaw

Security checks across malware telemetry and agentic risk

Overview

WanderClaw mostly matches its knowledge-exploration purpose, but it needs Review because it installs recurring agent jobs, silently retries scheduled tasks, and writes a future prompt into shared agent memory.

Install only if you intentionally want autonomous daily and weekly OpenClaw jobs that search the web, use model/search resources, write local interest/history data, and post results back to chat. Before relying on it, review the created cron jobs, the wanderclaw/ directory, the pending-cron queue, and any memory/YYYY-MM-DD.md nudge; remove or patch those pieces if you want the skill to act only when explicitly invoked.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (39)

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill declares that it is dormant unless explicitly triggered, but its documented behavior includes installation/cron side effects and references behavior not aligned with that contract. In agent ecosystems, description-behavior mismatch is dangerous because the orchestrator and user may grant trust based on the manifest while the skill performs persistence or activation-related actions outside the expected scope.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The changelog explicitly describes writing an onboarding prompt into shared memory so the main agent will later mention the skill unprompted. That contradicts the skill's stated dormant/non-intrusive role and creates cross-agent steering behavior outside the user's immediate request. In this context, modifying shared memory to influence future dialogue is a real security and trust boundary issue, not just a UX detail.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
This documented behavior gives the skill a mechanism to alter the main agent's shared memory for the purpose of steering later conversation flow. For a knowledge-exploration role, that capability is unnecessary and expands the skill's influence beyond its claimed scope, increasing the risk of covert prompt injection, user manipulation, or interference with other skills. The dormant framing makes this more dangerous because the actual effect is hidden and deferred.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The README claims the skill is dormant unless explicitly triggered, but elsewhere documents cron-based autonomous execution and proactive interest capture. This creates a misleading trust boundary: users may believe the skill is inert unless invoked, while it can continue acting and collecting signals outside an immediate request.

Intent-Code Divergence

Low
Confidence
81% confidence
Finding
Marketing the skill as 'zero configuration' and 'install and use' is inconsistent with the onboarding prompts, cron registration, and persistent autonomous behavior described later. While not a direct exploit, this can mislead users into consenting to system changes and recurring actions without understanding setup or operational consequences.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
Although framed as dormant, the skill also activates via cron-triggered tasks and performs autonomous maintenance behavior. This weakens the user's and host agent's expectation that the skill is only invoked by explicit user intent, increasing the chance of unauthorized background actions.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The documentation directs shell-based inspection and execution fallback behavior beyond the declared requirements, which obscures the true privilege boundary of the skill. Under-declaring operational capabilities is risky because it may cause the host to expose more powerful tools than users or policy reviewers expect.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The skill says it will not interfere with other work, but then instructs itself to perform silent background cron repair when activated. Hidden maintenance actions create a covert side-effect channel and undermine informed consent, especially when they alter persistent scheduling state.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The demo text claims the skill will read chat history and infer new interests automatically, which conflicts with the skill's own anti-fabrication/onboarding requirement to ask the user directly instead of inferring from memory or other files. This mismatch can mislead operators and users about what data the skill is allowed to collect and how it behaves, increasing the risk of unauthorized profiling or deceptive operation.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The page simulates successful cron registration and cold-start exploration as if they were completed, despite no real tool execution occurring. Because the skill metadata explicitly forbids claiming actions like cron registration or exploration without fresh tool output, this demo normalizes deceptive status reporting and could train users to trust fabricated operational claims.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The file explicitly frames itself as a cron-executed autonomous workflow and even permits random switching into deep-dive mode, which conflicts with the skill manifest's promise that the skill stays dormant unless explicitly invoked by the user. That mismatch can cause the agent to act, search, and potentially message users outside the declared activation boundary, undermining user consent and routing guarantees.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The file explicitly instructs the skill to "quietly remember" user interests and update a persistent interest graph based on normal conversation, which conflicts with the manifest's dormant-by-default behavior and the requirement not to infer interests without directly asking the user. This creates undisclosed behavioral profiling and cross-session persistence, increasing privacy risk and making the skill act outside explicit user activation boundaries.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The script creates recurring cron jobs that trigger autonomous exploration and user-facing output on a schedule, which conflicts with the skill's stated dormant/unless-explicitly-invoked behavior. In an agent environment, scheduled autonomous actions expand the trust boundary and can cause unsolicited network activity, content generation, and persistent behavior after a one-time activation.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The setup script writes a one-shot prompt into the shared memory used by the main agent, causing the main agent to proactively mention and promote this skill in future conversations. That contradicts the skill's stated dormant/on-demand behavior and creates a cross-agent influence channel that can steer future responses without explicit user activation or consent.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Injecting conversational guidance into the main agent's memory gives this skill an unnecessary ability to shape future agent behavior beyond its stated knowledge-exploration purpose. Because the memory is shared and later consumed automatically, this acts like prompt persistence and can bias unrelated future interactions.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The changelog states that every activation may trigger a background cron-drain task 'without disturbing the user.' Silent background execution is risky because it performs side effects and external scheduling changes without contemporaneous disclosure or consent, which undermines transparency and can hide repeated failures or unexpected system modifications. Since the skill already claims to be dormant unless explicitly triggered, concealed maintenance actions further blur trust boundaries.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The activation list includes very common words such as “探索 / explore / 发现 / 扫描 / 找点有趣的”, which can appear in normal conversation unrelated to this skill. Because the skill is designed to take over handling when triggered, overly broad keywords can cause unintended activation and execution of follow-on actions, including state inspection and onboarding logic.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The examples for user-triggered exploration rely on vague natural-language phrases like “探索” and “找点有趣的”, without boundary conditions or disambiguation. In a multi-skill or general assistant setting, that creates prompt-routing ambiguity and can invoke this skill during ordinary requests, leading to unintended browsing, state changes, or scheduled behavior.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The document states that onboarding will register cron jobs and that the skill will continue running automatically at fixed times, but it does not foreground this as a persistent system modification requiring explicit consent. Silent or weakly disclosed persistence is security-relevant because it changes host behavior beyond the current session and can surprise users with recurring autonomous execution.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The workflow explicitly performs multiple web searches and fetches during initialization and exploration, yet the description does not clearly warn users that activating the skill will cause outbound network requests and content retrieval from external services. In privacy- and enterprise-sensitive environments, undisclosed network access can expose prompts, interests, metadata, or operational patterns to third parties.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger list includes broad, everyday phrases such as '探索', '发现', '随便看看', and similar natural-language expressions that can appear in unrelated conversations. In an agent-routing context, this raises the risk of accidental activation, causing the skill to take over handling, perform searches, or begin onboarding and scheduling unexpectedly.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README describes automatic scheduling and creation of persistent workspace data, but does not prominently warn users about those ongoing system and data effects before use. In practice, scheduled execution and stored logs/history can create unexpected background activity, retention, and operational risk if enabled without informed consent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The statement that new interests mentioned in chat will be captured implies ongoing profiling of user preferences, but the README does not clearly explain retention, scope, or user control. This is dangerous because users may disclose sensitive topics in normal conversation without realizing they are being persistently recorded and used for personalization.

Vague Triggers

High
Confidence
94% confidence
Finding
The activation keywords include broad everyday terms like '探索', '发现', and similar phrases that can appear in ordinary conversation unrelated to this skill. Overbroad triggers can cause unintended delegation into a tool-using skill that performs filesystem and scheduling operations, expanding the blast radius from casual language.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs the agent to perform silent background cron registration repair without warning the user. Any hidden persistence or scheduling change is security-sensitive because it can create ongoing autonomous execution beyond the user's immediate request.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.