ClawHub

AgentGuard

Security checks across malware telemetry and agentic risk

Overview

AgentGuard appears to be a legitimate security tool, but it asks for broad local and system access that users should review before installing.

Install only if you want a security auditor with broad visibility into local agent state, installed skills, workspaces, credential-directory metadata, environment names, network/cron status, and Web3 action context. Review generated reports before sharing them, verify the external AgentGuard package/version, and avoid enabling auto-scan or daily patrols unless you want ongoing local monitoring.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • YARA SignaturesMalware Match, Webshell Match, Cryptominer Match
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (8)

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The skill description presents it as a general security guard, but the body also grants itself trust-registry modification, audit-log writing, browser-opening, and report generation behaviors that materially expand its authority. This gap can mislead users into invoking a skill with broader side effects than expected, increasing the chance of unintended state changes or disclosure through generated reports and browser actions.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The README says the report opens automatically in the browser and includes shareable social-media content, but it does not clearly warn users that the generated report or image may contain sensitive security posture information. In a security tool, this omission can lead users to unintentionally expose environment details, scores, or findings by opening or sharing the output without an explicit privacy notice or confirmation step.

Natural-Language Policy Violations

Low
Confidence
79% confidence
Finding
The README advertises prewritten shareable copy for X, Telegram, and WhatsApp in multiple languages without stating that sharing is strictly opt-in. In the context of a security assessment skill, encouraging easy social sharing without explicit consent language increases the risk of accidental disclosure of internal security status or other sensitive findings.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The skill is advertised with very broad, loosely bounded security functions, which increases the likelihood it will be selected for generic requests and then gain access to sensitive files, env data, and shell tooling. Overbroad scope is risky because it normalizes powerful operations under a vague 'security' banner, reducing user scrutiny.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill instructs writing HTML reports and appending audit-log entries, but these persistent writes are not clearly disclosed in the user-facing description. Undisclosed persistence can store sensitive scan output or operational history on disk, which may later be accessed by other local processes or users.

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
The policy explicitly says phishing and address-security check failures are silently skipped when GoPlus is unavailable, while still allowing decisions to proceed on weaker policy-only logic. In a security guard skill, this creates fail-open behavior and can cause users or downstream agents to trust approvals that were made without the advertised external threat intelligence, especially for Web3 actions where phishing and malicious-address detection are core safeguards.

Session Persistence

Medium
Category
Rogue Agent
Content
### How to Set

1. Read `$ARGUMENTS` to get the desired level
2. Write the config to `~/.agentguard/config.json`:

```json
{"level": "balanced"}
Confidence
81% confidence
Finding
Write the config to `~/.agentguard/config.json`: ```json {"level": "balanced"} ``` 3. Confirm the change to the user If no level is specified, read and display the current config. --- # Reporting

YARA rule 'backdoor_persistence': Backdoor persistence with malicious payloads (shell commands, SSH key injection, hidden root users) [malware]

High
Category
YARA Match
Content
access: read-write
    reason: "Read/write audit log (audit.jsonl) and protection level config (config.json)"
user-invocable: true
allowed-tools: Read, Write, Grep, Glob, Bash(node *trust-cli.ts *) Bash(node *action-cli.ts *) Bash(*checkup-report.js) Bash(echo *checkup-report.js) Bash(cat *checkup-report.js) Bash(openclaw *) Bash(ss *) Bash(lsof *) Bash(ufw *) Bash(iptables *) Bash(crontab *) Bash(systemctl list-timers *) Bash(find *) Bash(stat *) Bash(env) Bash(sha256sum *) Bash(node *) Bash(cd *)
argument-hint: "[scan|action|patrol|trust|report|config|checkup] [args...]"
---
Confidence
86% confidence
Finding
crontab *) Bash(systemctl list-timers *) Bash(find *) Bash(stat *) Bash(env) Bash(sha256sum *) Bash(node *) Bash; crontab -l 2>/dev/null` for suspicious entries containing `curl|bash`, `wget

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal