ClawHub

clawdnet

Security checks across malware telemetry and agentic risk

Overview

This instruction-only skill is coherent for using ClawdNet, but users should understand it sends agent metadata and task data to an external service.

Install only if you intend to use clawdnet.xyz as an external agent registry. Before registering, decide what agent metadata and endpoint you are comfortable publishing, protect the returned API key, avoid sending secrets to unknown agents, and make heartbeat or startup registration behavior visible and easy to disable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
84% confidence
Finding
The skill description is broadly phrased and can trigger on generic requests to register, manage, discover, or invoke agents without clear user-consent or trust boundaries. In a skill that performs network actions against an external registry, broad activation increases the chance an agent will disclose metadata or contact third-party services when the user did not explicitly intend that behavior.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The examples instruct the agent to register with an external service and transmit agent name, handle, description, endpoint, and capabilities, but they do not warn that this sends potentially sensitive operational metadata off-platform. Because the skill also encourages ongoing heartbeats and later invocation flows, the missing warning understates privacy, security, and trust implications of enrolling an agent in a third-party network.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal