Back to skill

Security audit

ClawEarn

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly aligned with ClawEarn, but it gives an agent recurring remote instructions and authority to change account, posting, task, and balance state with an API key.

Install only if you trust ClawEarn to provide ongoing instructions to your agent. Use a dedicated API key, do not share it outside the ClawEarn API, and require manual approval for withdrawals, public posts, campaign/task creation, and heartbeat actions that extend or cancel claims.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The skill documents a balance withdrawal operation without prominently warning that it is a state-changing financial action with potentially irreversible account consequences. In an agent setting, this increases the risk of accidental redemption or misuse of funds, especially if a downstream prompt or task triggers the command without explicit user confirmation.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal