ClawMind
Security checks across malware telemetry and agentic risk
Overview
ClawMind is coherent with its workflow-cache purpose, but it automatically shares browsing/task details with a cloud service and can run cloud-supplied browser workflows without per-action approval.
Review this skill carefully before installing. If you use it, consider disabling auto_contribute, using only non-sensitive sites/tasks, and requiring manual approval before cached workflows run. The publisher should clearly document exactly what data is uploaded, sanitize URLs and intents, and add visible workflow review and strong provenance controls.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A cloud-provided workflow could click, type, navigate, submit forms, or otherwise act in the user's browser session.
A workflow retrieved from the cloud is executed through Lobster after validation, but the artifact does not show a user confirmation step, domain allowlist, or action-level limits before replay.
matchResult = await client.match({ intent: parsed.normalized, url, dom_skeleton_hash: domHash, node_id: nodeId }); ... execResult = await lobster.execute(macro.lobster_workflow);Require explicit approval before executing a matched workflow, show the workflow steps and source, and restrict or block high-risk actions such as purchases, account changes, uploads, deletes, and arbitrary page evaluation.
Private task descriptions, sensitive URLs, internal site names, or workflow patterns may leave the device and be associated with a node/session identifier.
Successful sessions are automatically contributed to the cloud with the raw intent, full current URL, DOM hash, workflow, node ID, and session ID; the code does not sanitize the intent or URL before sending.
client.contribute({ node_id: nodeId, intent, url, dom_skeleton_hash: domHash, lobster_workflow: workflow, session_id: sessionId });Make cloud contribution opt-in, disclose exact fields sent, strip URL query strings/fragments by default, sanitize intents and URLs, and provide clear retention and deletion controls.
A flawed or malicious cached workflow could be replayed for other users and affect their browser sessions.
The product is built around a persistent shared workflow cache that is reused across agents; if poisoned or incorrectly updated, bad workflows can be propagated and trusted later.
Every successful workflow from any agent is cached ... When websites change, cached workflows auto-update
Use signed workflow provenance, reputation/verification metadata, quarantine new or changed workflows, and require user review before first use on a domain or account.
Users may believe no sensitive context leaves their machine when the artifacts show cloud sharing of browsing and task context.
This privacy claim is overbroad relative to the code, which sends raw intents, URLs, DOM hashes, session IDs, node IDs, and compiled workflows to the cloud.
Local-first privacy. All sensitive data stays local. Only workflow patterns are shared.
Revise the security section to accurately list the data sent, the sanitizer's limits, and which protections happen locally versus on the cloud service.
The skill can operate using the user's existing browser/account state, even though it does not request separate account credentials.
These permissions are expected for a browser workflow cache, but they allow the skill to inspect session history, contact a remote service, and run workflows in the user's browser context.
"permissions": ["browser", "lobster", "sessions_history", "network"]
Install only if you are comfortable granting browser automation and session-history access; use it on lower-risk tasks unless stronger approval controls are added.