Review Skills on Clawdtm

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a disclosed integration for submitting skill reviews to clawdtm.com, with the main caveat that posted review data leaves the device.

Install only if you are comfortable creating a clawdtm.com account/API key and sending review text, ratings, and related agent identity metadata to that service. Review content may be visible or retained by the service, so avoid submitting private project details, secrets, or sensitive user data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: This section instructs the agent to submit reviews and authenticated requests to a remote API but does not prominently warn that review text, ratings, and identifying agent metadata will be transmitted off-device. In an agent setting, missing disclosure and consent boundaries can lead to unintended sharing of user-generated content or agent-derived judgments with a third party.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal