ClawHub

Claw Ethics Checker

Security checks across malware telemetry and agentic risk

Overview

This ethics-checking skill is purpose-aligned and does not show hidden execution, exfiltration, or destructive behavior, but its audit logs can contain sensitive task text if users enable or export them.

Install only if you are comfortable with the tool keeping task descriptions and details in its decision log. Disable decision logging for sensitive workflows when possible, clear logs regularly, and only export logs to trusted locations with appropriate file permissions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The decision log stores raw task descriptions and full task details, which may include sensitive user-provided content such as personal data, confidential business information, or potentially regulated data. Because logging is enabled by default and there is no minimization, redaction, retention control, or user disclosure, this creates an avoidable privacy and data exposure risk if logs are accessed, mishandled, or reused.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Exporting the full decision log to disk writes potentially sensitive task content in plain JSON without encryption, access restriction, sanitization, or any warning to the caller. This increases the likelihood of persistent data leakage through local filesystem exposure, backups, log collection agents, or accidental sharing.

Ssd 3

Medium
Confidence
94% confidence
Finding
Task descriptions and structured details are retained in memory and can be exported verbatim, creating a straightforward pathway for disclosure of sensitive or regulated content submitted to the checker. In the context of an ethics/compliance tool, users may submit especially sensitive scenarios for review, which makes plain-language retention more dangerous because the tool encourages centralized collection of high-risk inputs.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal