Back to skill

Security audit

clawlist

Security checks across malware telemetry and agentic risk

Overview

This task-management skill is not malicious, but it gives very broad workflow control and supports recurring agent work without clear stop or approval limits.

Install only if you want a strong planning workflow that may steer many agent tasks into a structured process. Before enabling long-running or infinite tasks, define the scope, cadence, allowed actions, stop conditions, and approval requirements, and periodically review the saved memory task and plan files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (7)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill description uses absolute activation language ('MUST use for any multi-step project, long-running task, or infinite monitoring workflow'), which can cause the agent to invoke this skill in an overly broad set of situations without sufficient scoping. This creates a policy-steering risk where normal tasks are funneled into a persistent workflow with memory and automation behavior, increasing the chance of unintended task persistence, unnecessary file writes, or execution chaining.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The usage guidance says to 'ALWAYS use clawlist' for broad and ambiguous conditions such as 'starting any new project' or when progress needs tracking across sessions. In context, this skill coordinates multiple sub-skills, updates persistent task files, and integrates with heartbeat for recurring execution, so ambiguous mandatory triggers can cause accidental overreach into autonomous or continuous behavior beyond what the user explicitly requested.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger phrase "MUST use before any creative work" is extremely broad and can match a large share of normal development activity, including feature work, component changes, and behavior modifications. This can cause the skill to activate unnecessarily, steer workflows away from user intent, and create prompt-routing conflicts with other skills, especially in multi-skill environments where precedence matters.

Vague Triggers

High
Confidence
96% confidence
Finding
The skill is framed as applicable to virtually any task ('Use when executing any task' and 'central execution skill'), creating an overbroad trigger that can force unnecessary invocation and crowd out more specific, safer skills. In an agentic system, this increases prompt-routing manipulation risk and can bias the agent into obeying this skill as a universal controller rather than using context-appropriate logic.

Vague Triggers

High
Confidence
98% confidence
Finding
The rule to invoke a skill whenever there is 'even 1% chance' any skill might apply is an ambiguous, coercive activation policy that pressures the agent to over-trigger skills before normal reasoning or clarification. This can be exploited to create skill-chaining loops, suppress direct user assistance, and make the agent follow procedural instructions from untrusted skill text too readily.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The frontmatter says the skill 'MUST use after completing any multi-step task or project,' which is an overly broad activation condition. In an agent system, this can cause the skill to trigger in many normal workflows, increasing prompt-surface area, unnecessary file access, and the chance that verification logic runs when not explicitly requested or contextually appropriate.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger examples include common phrases like 'is it done?' and 'did it work?', which overlap with ordinary conversation. That makes accidental activation more likely, potentially causing the agent to enter verification flow, inspect plan files, or produce completion-report behavior when the user only wanted a casual status update.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.