ClawHub

Claw Security Scanner

Security checks across malware telemetry and agentic risk

Overview

This looks like a legitimate local security scanner, but its reports can include secrets it finds and the documentation understates some higher-risk modes.

Install only if you are comfortable with a local tool reading the skill directories you point it at. Treat generated JSON or Markdown reports as sensitive because they may contain real secrets; redact them before sharing or uploading. Prefer targeted local scans, avoid enabling any future auto-scan, URL-scan, dynamic-analysis, or auto-fix behavior until the tool clearly documents scope, isolation, redaction, and rollback behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation enables automatic scanning on install and update, which implies background analysis of locally installed skills and directories without clearly warning users about the scope of file access. Even if intended as a security feature, undisclosed automatic inspection can surprise users, create privacy concerns, and normalize broad filesystem access for a skill.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The remote URL scanning feature states that users can scan a skill by URL, but it does not warn that this requires network access and may transmit user-supplied URLs or related metadata to external services. In a security-sensitive tool, silent network activity increases the risk of privacy leakage, SSRF-like misuse, or unexpected outbound requests.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documented auto-fix mode suggests the tool may automatically modify user files, but there is no prominent warning that changes could alter or damage the target skill if applied incorrectly. For a tool operating on source trees, unreviewed write operations can cause integrity loss, break builds, or overwrite user work.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal