ClawHub

Clauditor

Security checks across malware telemetry and agentic risk

Overview

Clauditor is a real audit watchdog, but it deliberately installs a stealth-named persistent system monitor with broad host visibility and root-level setup, so users should review it carefully before installing.

Install only if you intentionally want a Linux systemd watchdog with privileged, persistent command/process monitoring. Before running any sudo command, inspect the scripts, use transparent service names if possible, verify the missing dist assets from a trusted source, restrict config ownership, disable the generic command alert channel unless needed, and confirm you can uninstall the services, user, keys, and logs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (36)

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The manifest explicitly calls for 'stealth deployment' that blends with system services to avoid obvious detection, which is inconsistent with a legitimate defensive audit tool. Stealth characteristics increase the likelihood the tool could be used to conceal unauthorized persistence or evade operator awareness, making misuse materially more dangerous.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
A watchdog intended to audit suspicious activity has no legitimate need to hide itself from normal system inspection; that design choice is unjustified by the stated purpose. Embedding stealth into a security tool creates dual-use behavior resembling malware persistence and undermines informed administration and trust.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The README makes a strong security claim that a compromised Clawdbot cannot read the HMAC key, but later instructs running `clauditor digest` with `/etc/sysaudit/key`. In a skill context, documentation inconsistencies about secret accessibility are security-relevant because they can mislead operators into exposing or granting access to the verification key, undermining the tamper-evidence model.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The installation flow provisions a system user and persistent service even though the manifest frames the skill as a detector/logger. In this context, persistence and privileged setup are not inherently malicious, but underdocumented system modification is risky because it creates long-lived privileged components that may be abused or misunderstood.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The claim that Clawdbot cannot stop the watchdog is a strong security assurance, yet the same document relies on agent-mediated setup and root-level commands. Overstated tamper-resistance claims can mislead users into trusting the component as a hard security boundary when it is still installed, configured, and potentially influenced through an agent-driven workflow.

Description-Behavior Mismatch

High
Confidence
93% confidence
Finding
The alerter is described as a watchdog/audit component, but its channel design includes active execution of external programs such as the gateway CLI. In a security-sensitive agent context, turning detections into command execution expands the trust boundary and creates a path for config-driven side effects, privilege misuse, or shelling out from a component that should ideally be passive.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The Command alert channel executes an arbitrary configured binary with attacker-influenced alert content on stdin. If an untrusted user can influence configuration, environment, PATH resolution, or the chosen executable, this becomes a straightforward remote code execution or privilege-escalation primitive inside a security monitoring component.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
The ClawdbotWake channel causes the alerter to invoke an external CLI for signaling, which is more than passive audit logging. While less dangerous than the generic Command channel because the executable and arguments are more constrained, it still introduces process-spawning behavior and a dependency on external command resolution and runtime environment.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The CLI includes a guided installation wizard that probes the host environment and tells the user to execute privileged system-modifying commands, which is outside the core need of an audit/logging tool. In this skill’s context, bundling operational surveillance with installer logic that directs persistence and concealment increases the chance of misuse and lowers operator scrutiny.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The wizard explicitly says the binary should be installed under a stealth name, 'systemd-journaldd', so it blends in and is harder to identify as a watchdog. Deliberate disguise of a service is a classic stealth/persistence technique and is not required for legitimate audit protection.

Intent-Code Divergence

High
Confidence
96% confidence
Finding
The wizard justifies hidden directories by saying they make the watchdog harder for attackers to find and target, encouraging concealment rather than transparent system administration. In an agent skill, instructing users to hide artifacts under misleading paths can facilitate unauthorized persistence and frustrate defenders.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The collector thread blocks in `read_events_blocking()`, but `stop()` and `Drop` only set a flag and do not interrupt that blocking syscall or close the underlying inotify fd. This means shutdown can hang indefinitely and the background thread may continue running after callers believe it has been stopped, creating a denial-of-service and reliability problem in a security monitoring component.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
This collector is described and structured as a filesystem activity monitor, but the configured fanotify mask only subscribes to FAN_OPEN_EXEC events. As a result, file creation, deletion, modification, and ordinary access events are silently not collected, creating a dangerous monitoring gap that can let tampering or data theft occur without audit evidence while operators believe broader coverage exists.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The installer description promises a filesystem activity watchdog, but the comments explicitly describe monitoring all commands on the system, correlating credential access with network calls, and detecting activity outside the bot context. That is a materially broader surveillance capability than the stated skill metadata and can mislead operators into deploying host-wide behavioral monitoring with elevated privileges.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The post-install output advertises monitoring of a target UID, exec-only watch mode, severity thresholds, and operational commands for reviewing monitored activity, which reinforces that this tool observes user command execution rather than merely filesystem changes. In the context of a security skill, this scope mismatch increases the risk of covert or overbroad monitoring being normalized as benign auditing.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The header recommends installation via 'curl | sudo bash', but the script itself only installs from a local prebuilt binary and does not validate provenance or retrieve a specific signed artifact. This mismatch encourages unsafe installation behavior and undermines operator understanding of what code is actually being trusted and executed as root.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The installer explicitly provisions monitoring scope far beyond a narrow Clawdbot filesystem-audit role by noting watch_paths includes "/" and "/home/clawdbot", which can expose broad host activity. In context, this is made more suspicious by the use of disguised binary and service names, suggesting covert host surveillance rather than transparent security tooling.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Adding the service account to the clawdbot group expands access from filesystem auditing into process inspection via /proc, which is not clearly necessary for the advertised function. Because the script runs as root and installs persistent services under disguised names, this privilege expansion materially increases the risk of covert monitoring or misuse of process metadata.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The script presents itself as a security watchdog but installs binaries and units with names mimicking legitimate system components such as systemd-journaldd and systemd-core-check. Deliberate masquerading is a strong indicator of stealth and makes the deployment harder for administrators to notice, assess, or remove safely.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Mandating a GitHub push after each bead causes external network transmission and publication behavior without any explicit user confirmation or disclosure at the point of action. In an agent context, this can leak proprietary code, secrets, or sensitive development state to a remote service unexpectedly.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Requiring use of a '--full-auto' sub-agent authorizes autonomous code changes and command execution without a corresponding consent or safety checkpoint. This increases the risk of unintended file modification, command execution, or unsafe actions occurring beyond what the user reasonably expects.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The README recommends privileged installer and uninstall flows that create users, write into system directories, install services, and enable persistence, but does not prominently warn about the scope of those changes. In an agent-skill ecosystem, normalizing opaque root-level installation increases the chance operators run impactful commands without understanding what will be modified.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The quick-install path asks users to run a privileged shell script directly with sudo and provides no explicit warning about the scope of system changes. This is dangerous because it bypasses review of commands that create users, install services, modify files, and establish persistence, making social engineering or accidental misuse much easier.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The wizard recommends stealthy renaming of the watchdog binary without warning the user that this conceals the true nature of the installed service. That makes the tool materially more dangerous because it normalizes deceptive deployment and can aid covert persistence on a host.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The wizard prints copy-pasteable privileged commands that create users, write into /etc and /usr/local/sbin, and enable services, but provides no safety interlocks, privilege warnings, or dry-run mode. Even if intended for convenience, this can lead to unsafe installation or abuse when presented through an agent interface.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal