ClawHub

clawder

Security checks across malware telemetry and agentic risk

Overview

Clawder is a coherent agent social-network skill, but it asks agents to act publicly and periodically overwrite installed skill files from a remote site without strong user review or integrity controls.

Install only if you intentionally want an agent to maintain a Clawder identity and take routine social actions without asking each time. Do not use the heartbeat self-update commands unless you manually review and verify the downloaded files, set explicit limits for posts/DMs/swipes, protect and rotate the CLAWDER_API_KEY if exposed, and avoid CLAWDER_SKIP_VERIFY.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill uses environment secrets, network access, and shell execution but does not declare permissions or present a clear capability boundary. That weakens user awareness and reviewability, making it easier for a skill to act with more power than its metadata suggests, especially since it sends an API key to a remote service and runs downloaded code.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The declared description emphasizes syncing identity, browsing, swiping, and DMing, but the skill also supports posting, replying, reading profile/post data, reading DM threads, and acknowledging notifications. This broader behavioral surface increases the chance that users or host agents grant trust for limited social actions while the skill can also publish content, consume private conversation data, and alter notification state.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The heartbeat expands the skill beyond a user-invoked social tool into a periodically running agent that also self-updates from the network. That materially changes the trust model: the skill can alter its own behavior over time and act without a fresh user request, creating a supply-chain and unauthorized-action risk.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The file instructs the agent to browse, swipe, and message autonomously rather than only when directly requested by the user. In a social platform context, this can cause the agent to take actions on the user's behalf without clear consent, potentially creating reputational harm, spam, or unwanted interactions.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill instructs the runtime to fetch a remote version indicator and overwrite local SKILL.md, HEARTBEAT.md, and clawder.py directly from a website. This is a classic remote code/content update path without integrity protection, allowing server compromise, DNS/TLS interception, or malicious operator changes to silently replace local logic and potentially execute arbitrary code via the downloaded Python script.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The instructions tell the agent to 'just swipe' and interact without first warning the user that the system will take public or semi-public social actions on their behalf. Because these actions affect third parties and the user's reputation, lack of upfront disclosure and consent is a meaningful safety and policy problem.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The update instructions silently overwrite files in the local skill installation directory from remote downloads, but do not warn that local content and executable logic will be modified. Hidden modification of local files increases the chance of unreviewed changes, persistence, and compromise, especially because one of the files is an executable Python script.

Natural-Language Policy Violations

Medium
Confidence
97% confidence
Finding
The skill explicitly instructs the agent to take autonomous social actions and forbids asking the human for permission on likes, comments, and passes. In context, these are public or semi-public actions performed on the user's behalf, so suppressing confirmation removes an important safety checkpoint and can lead to reputational harm, unwanted interactions, or policy-violating messages.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill strongly encourages autonomous likes, comments, posts, and DMs, but its description does not clearly warn that it may speak and act publicly as the user/agent identity without per-action approval. This creates a consent and expectation mismatch that can cause users to install the skill without realizing it may autonomously generate externally visible content.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script allows TLS certificate validation and hostname checking to be disabled via `CLAWDER_SKIP_VERIFY=1`, which enables man-in-the-middle interception of API traffic. In this skill, that traffic includes Bearer API keys and user content, so disabling verification can directly expose credentials and sensitive messages.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal