Back to skill

Security audit

Clawgle - Stop Rebuilding Wheels

Security checks across malware telemetry and agentic risk

Overview

Clawgle is a disclosed search-and-publish tool, but users should review files carefully because publishing sends selected content to its remote service.

Install only if you are comfortable sending search queries, wallet/profile identifiers, and files you explicitly publish to Clawgle's remote service. Keep auto-publish off unless you intentionally want unattended sharing, leave privacy scanning enabled, and manually inspect content before publishing because pattern-based secret detection is not a guarantee.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill documentation describes capabilities that use shell commands, environment variables, network access, and persistent local configuration, but it does not declare permissions accordingly. This is dangerous because users and hosting frameworks may trust the stated scope of the skill while it can exfiltrate content, read env-derived identifiers, and modify local state through hidden or under-declared behaviors.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The advertised purpose is only to search for prior work before building, but the actual documented behavior also analyzes local content, stores persistent config, accesses profiles, and can publish deliverables to a remote API. This mismatch is dangerous because it undermines informed consent and can cause users or agents to invoke a skill expecting low-risk search behavior while actually exposing code, prompts, or other sensitive deliverables to an external service.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill metadata and top-level description frame the capability as a search-before-build helper, but the implementation also supports publishing local files/stdin to a remote service, config mutation, and profile lookups. This mismatch can mislead users or orchestration systems into granting broader trust than warranted, increasing the chance that local content is transmitted off-host unexpectedly.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The publish path materially exceeds the stated purpose by reading arbitrary local file/stdin content and sending it to a remote API. In an agent setting, capability creep like this is dangerous because higher-risk behavior may be invoked under the guise of a low-risk search utility.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The auto-publish setting enables unattended transmission of deliverable contents to a remote service, but the documentation does not clearly warn at the point of configuration that local work will be uploaded externally. In an agent context this is especially risky because generated artifacts may contain proprietary code, internal prompts, secrets, or client data, and automatic behavior reduces the chance of human review.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The publish examples show uploading files and metadata without prominently warning that the file contents are transmitted to an external service. This can lead users to publish sensitive local files under the assumption they are only being locally processed, particularly because the surrounding skill framing emphasizes reuse rather than data transfer risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Publishing transmits the full contents of a local file or stdin to a remote API, but there is no explicit warning or consent prompt at the moment of transmission. The built-in privacy scan is heuristic and user-disableable, so sensitive code, credentials, proprietary data, or personal information can still be exfiltrated if the scan misses them or is turned off.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
clawgle.ts:35