ClawHub

Clawlet

Security checks across malware telemetry and agentic risk

Overview

Clawlet appears to be a real Nostr client skill, but it stores and can reveal account-control private keys, so users should review it carefully before installing.

Install only if you are comfortable letting this skill create and control a Nostr identity. Protect the local identities.json file, avoid exporting the private key through chat unless absolutely necessary, and review posts, follows, DM recipients, relay choices, and proxy settings before use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README advertises generating and managing Nostr keys but gives no warning that these are highly sensitive private credentials whose disclosure enables account takeover and impersonation. In a skill that automates identity management for a public network, missing guidance on storage, display, export, and backup materially increases the chance of unsafe handling by users or downstream implementations.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README says the skill can post content to the Nostr network without warning that messages may be published to a decentralized, broadly visible, and difficult-to-retract network. Users may assume assistant-generated content is local or reversible, leading to accidental disclosure of personal, confidential, or regulated information.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill advertises private-key export and private messaging capabilities without prominent, operation-specific warnings about irreversible account takeover risk, message confidentiality limits, and recipient mistakes. In this context, users may be socially engineered into exposing keys or sending sensitive messages without understanding the consequences.

Missing User Warnings

High
Confidence
92% confidence
Finding
The skill generates long-term Nostr private keys and stores them unencrypted in a local JSON file, but the user-facing creation flow does not clearly disclose that secret material is being retained on disk. If the host, filesystem, backups, or other local processes are compromised, attackers can steal the key and permanently take over the user's Nostr identity and decrypt future/accessible private communications.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal