Remote Claw

Security checks across malware telemetry and agentic risk

Overview

The skill is transparent about sending jobs to RemoteClaw and human workers, but it explicitly promotes CAPTCHA solving without safeguards, which can enable bypassing anti-bot protections.

Review before installing. Use only if you are comfortable giving an agent an API key that can post public jobs to external human workers. Require explicit approval for every job and applicant selection, do not use it for CAPTCHA or bot-protection bypass, and never include passwords, tokens, private documents, full addresses, or internal URLs in job context.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill explicitly encourages sending task details to a public marketplace of humans for physical-world tasks, including examples involving phone calls, in-person checks, and CAPTCHA solving. Although there is a later 'Data Guidelines' section, the privacy warning is not prominent enough relative to the broad recommended use cases, so an agent or user could disclose sensitive operational or personal information to third parties.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal