Clawdtm Advisor

Security checks across malware telemetry and agentic risk

Overview

This skill does match its purpose, but it can install remote skill files into your agent environment without enough built-in guardrails.

Install only if you want this skill to help add other skills to your environment. Before letting it install anything, ask to see the exact skill name, source, security flags, and full file list, and confirm that every file path stays inside the intended skills directory.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs the agent to write arbitrary files returned by a remote API directly into the local workspace, including examples such as shell scripts, without requiring content validation, sandboxing, path restriction checks, or explicit user confirmation at the point of write. Because this skill is specifically designed to fetch and install third-party skills, the context makes the behavior more dangerous: it creates a supply-chain path from remote content to local executable files.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal