Back to skill

Security audit

Clauditor

Security checks across malware telemetry and agentic risk

Overview

Clauditor appears to be a real defensive audit tool, but it installs persistent system services using deliberately stealthy names and includes under-scoped privileged behaviors that users should review carefully.

Install only if you intentionally want a persistent Linux audit daemon for Clawdbot and are comfortable reviewing the sudo scripts first. Pay special attention to the stealth service names, hidden log directory, command alert channel, GitHub workflow instructions, broad monitoring scope, and uninstall behavior that can remove audit evidence.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (47)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill advertises shell-capable installation and operational commands but does not declare corresponding permissions, which undermines least-privilege review and informed consent. In an agent setting, hidden shell/network capabilities materially increase risk because the agent may execute commands or reach external systems without users realizing the full capability surface.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The documented purpose is a filesystem audit watchdog, but the analyzed behavior set is substantially broader: process/command monitoring, alert delivery through external channels, execution of arbitrary configured commands, anomaly detection, and deployment automation. This mismatch is dangerous because users may grant trust and privileges appropriate for a logging tool while the skill actually operates as a much more powerful monitoring and command-executing component.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The instructions explicitly direct the agent to push changes to GitHub, causing external network transmission unrelated to the core purpose of a local audit watchdog. In a skill context, this expands authority from local auditing into outbound exfiltration/supply-chain actions without any consent gate or scope check.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
Mandating a full-auto engineering sub-agent gives the skill the ability to delegate broad implementation work beyond simple auditing, increasing autonomy and reducing oversight. That capability is not necessary for the stated watchdog function and can be abused to make unreviewed code or system changes.

Intent-Code Divergence

Medium
Confidence
82% confidence
Finding
The document presents the skill as a standalone local daemon with constrained inputs and outputs, but later adds GitHub pushes and multi-agent orchestration that materially broaden behavior. This mismatch can mislead reviewers and users about actual capabilities, reducing informed consent and making risky operations easier to hide.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The README explicitly recommends a stealth/masquerading service name (`systemd-journaldd`) for a security watchdog. Disguising a persistent privileged service as a system component hinders administrator review and resembles evasion tradecraft; in an agent skill context, that materially increases the risk of covert persistence or abuse.

Intent-Code Divergence

Medium
Confidence
81% confidence
Finding
The documentation claims 'exec-only monitoring' while later sections describe monitored watch paths and broader filesystem activity. This mismatch can mislead operators about the scope of surveillance and permissions, causing them to install a more invasive privileged monitor than they intended.

Intent-Code Divergence

Medium
Confidence
77% confidence
Finding
The documentation makes strong security guarantees ('cannot stop', 'cannot delete evidence') that are not justified by the installation steps shown. Overstated tamper-resistance can create a false sense of security, causing operators to rely on the tool for incident evidence preservation beyond what it can actually guarantee.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The Command alert channel allows execution of an arbitrary configured program with attacker-influenced alert content sent over stdin. In a security monitoring component that may run with elevated privileges, this creates a dangerous command-execution sink if configuration is compromised or overly permissive, turning alert generation into code execution.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The CLI includes a wizard that goes beyond auditing and provides step-by-step operational guidance for privileged installation, persistence, and concealment. That materially expands the tool from defensive monitoring into deployment tradecraft, which is dangerous because it lowers the barrier to stealthy system modification under the guise of a watchdog.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The wizard explicitly instructs users to disguise the binary/service and install it as a persistent background component, which is not justified by a normal audit-watchdog function. This is dangerous because it directly supports covert persistence and operational evasion on a host.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The documentation claims Clawdbot cannot read the HMAC key because of user isolation, but the daemon can fall back to an unprivileged collector mode that may not preserve the stated trust boundary. This mismatch is dangerous because operators may rely on tamper-resistance assumptions that are not actually enforced in all runtime modes.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The HMAC-chained record is created before attaching the file path, operation kind, and process metadata to the emitted CollectorEvent, so the tamper-evident chain does not actually authenticate the critical forensic details. An attacker or compromised downstream component could alter those details while preserving a valid chain over only the generic message event, undermining audit integrity and non-repudiation.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The installer text describes a Clawdbot-focused watchdog, but the script and accompanying messaging indicate host-wide command monitoring via a root-installed systemd service. This mismatch undermines informed consent and can cause operators to deploy a much broader surveillance capability than expected.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The script installs and enables persistent privileged systemd units, giving the package ongoing root-level execution beyond a simple one-time audit setup. In an agent-skill context, this materially increases the blast radius if the binary or unit files are flawed, replaced, or later abused.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The uninstall path explicitly offers to delete audit logs and first removes append-only protections with chattr -a, which defeats the stated tamper-resistant evidence model. An attacker with access to run the uninstall can erase forensic history and conceal prior activity.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The installer deliberately deploys components under deceptive system-like names (for example, 'systemd-journaldd' and 'systemd-core-check') and uses a hidden log path under '/var/lib/.sysd/.audit'. That behavior is inconsistent with a transparent security tool and materially increases stealth, making the service harder for administrators to discover, audit, or remove.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The installer adds the service account to the 'clawdbot' group to obtain broader '/proc' visibility, expanding the daemon's access beyond what is clearly justified by the stated watchdog purpose. This weakens least-privilege boundaries and may expose process metadata or other resources associated with that group.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The installer notes that the config uses 'watch_paths=["/", "/home/clawdbot"]', which implies monitoring of the full root filesystem rather than only Clawdbot-specific suspicious activity. This broadens surveillance scope, increases privacy and performance risk, and exceeds what many operators would infer from the skill description.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The verification step reports 'exec-only monitoring enabled' if it finds either 'exec_watchlist' or any 'watch_paths' entry, even though 'watch_paths' does not prove exec-only behavior. This can mislead operators into believing the tool is narrowly scoped when it may actually be configured for much broader monitoring.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Requiring pushes to GitHub every bead creates routine external data transfer without warning the user that code, logs, paths, or other sensitive context may leave the local environment. In a security-oriented skill, silent outbound transmission is especially dangerous because monitored artifacts may contain sensitive operational details.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The repository integration section mandates network pushes after each unit of work while omitting any notice that local data will be transmitted to a third-party service. This creates a clear consent and data-handling problem and could expose internal code or environment details.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README instructs users to run a root-privileged installer script (`sudo bash wizard/wizard.sh`) without an upfront warning that it will modify users, directories, keys, systemd units, and persistent services. In a skill ecosystem, encouraging direct execution of a privileged script increases the chance of unsafe installation of unreviewed code.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The manual installation section performs sensitive actions such as creating a system user, writing secrets to `/etc`, copying unit files, and enabling a service, but does not clearly warn that these are privileged and persistent system modifications. That omission can cause administrators to underestimate the trust and review required before execution.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The quick-install path instructs users to run a privileged shell script directly with sudo, without nearby warnings or a summary of system modifications. This is dangerous because it encourages one-shot root execution of complex installer logic, reducing user scrutiny and increasing the blast radius of mistakes or malicious changes.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.