Claw Alarm

Security checks across malware telemetry and agentic risk

Overview

This alarm skill is useful and mostly transparent, but it gives a long-lived device token to a generic API wrapper and recommends unsafe token storage.

Install only if you are comfortable letting the agent read and change alarms on the paired phone. Treat the ClawAlarm token as a real secret: do not commit it, do not put it in CLAUDE.md or shared project files, avoid command-line token entry when possible, prefer a protected untracked secret store, and reset pairing if the token may have been exposed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (12)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill invokes a shell wrapper (`scripts/alarm-api.sh`) but the manifest does not declare that capability. Hidden execution capability reduces transparency for review and policy enforcement, and it can enable networked side effects that a user or platform may not expect from the manifest alone.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 97% confidence
Finding: The documented behavior substantially exceeds the stated purpose: it stores tokens, manages auth state, refreshes pairing, exposes status, and permits arbitrary authenticated API calls. That mismatch prevents informed consent and broadens the reachable attack surface beyond simple alarm management.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The documentation explicitly reframes the skill as a generic client for every deployed API route, not just alarm operations. A generic authenticated client can reach future or undocumented endpoints added to the backend, creating capability creep and making review of the skill incomplete by design.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The skill encourages arbitrary use of whatever routes appear in the live API spec, effectively delegating trust to a remote server to define local capability at runtime. This makes the skill's behavior open-ended and can silently expand access if new endpoints are deployed later.

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: The file claims the bearer token 'can only configure alarms' while elsewhere stating the CLI can call every deployed API route. That contradiction can mislead users into underestimating token sensitivity and may cause unsafe storage or sharing of credentials.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The script is advertised as an alarm-management skill, but its primary interface accepts an arbitrary endpoint and method, then forwards the caller's bearer token to the full ClawAlarm API. That creates a scope-expansion vulnerability: any caller or prompt that can invoke this skill can access unrelated account/device operations exposed by the backend, defeating the principle of least privilege.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The help path downloads the live OpenAPI spec and enumerates all routes, including capabilities unrelated to alarm management. This increases attack surface by exposing hidden or undocumented backend functionality to any user of the skill, making it easier to discover privileged operations that can then be reached through the generic wrapper.

Intent-Code Divergence

Medium

Confidence: 83% confidence
Finding: The documentation frames the file as a narrow alarm API wrapper, but the implementation is a general-purpose authenticated REST client. This mismatch is security-relevant because reviewers and users may trust the declared scope while the code actually permits broader actions, increasing the chance of unintended privileged use.

Natural-Language Policy Violations

Medium

Confidence: 81% confidence
Finding: Defaulting the time zone without explicit user opt-in can cause alarms to be scheduled at unintended local times, which can have real-world safety and reliability consequences. Because this skill controls device alarms, silent assumptions about scheduling context are more dangerous than in ordinary text processing.

Missing User Warnings

Medium

Confidence: 79% confidence
Finding: The script supports passing bearer tokens directly on the command line via `auth login --token=...`, which can expose secrets through shell history, process listings, audit logs, or agent transcripts. Because the token authorizes device control, accidental disclosure could let another party manipulate alarms on the paired phone.

Ssd 3

Medium

Confidence: 98% confidence
Finding: The instructions encourage placing a live bearer token into reusable config files, including `CLAUDE.md`, increasing the chance of later accidental disclosure to tools, agents, repositories, or support logs. Persisted credentials in broad-context files are especially risky because they may be automatically loaded or surfaced outside the original task.

Session Persistence

Medium

Category: Rogue Agent
Content: ### Storing the token The bearer token is a secret in the cryptographic sense — anyone holding it can read and rewrite the alarm list on the paired device. **However:** - It can only configure alarms. It cannot read contacts, location, photos, payment info, or anything else on the phone. - Its blast radius is one device.
Confidence: 89% confidence
Finding: write the alarm list on the paired device. **However:** - It can only configure alarms. It cannot read contacts, location, photos, payment info, or anything else on the phone. - Its blast radius is o

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal