better-skill-creator

Security checks across malware telemetry and agentic risk

Overview

This is a local skill-management tool whose file changes are expected for its purpose and are mostly disclosed or user-confirmed.

Install only if you want a tool that manages skill files on your machine. Before using migration or rollback, read the prompt carefully and verify the target path because those actions can delete or overwrite local skill directories after confirmation. Backups and proposals are stored under ~/.openclaw.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill advertises automatic backup, migration, rollback, changelog generation, and test execution with no visible warning about filesystem changes, historical data migration, or the side effects of running tests. In a skill-management context, these operations can alter repositories, overwrite files, consume resources, or execute untrusted project code during tests, making the missing safety boundaries materially risky.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal