Back to skill

Security audit

Claw Permission Firewall

Security checks across malware telemetry and agentic risk

Overview

This is a security policy evaluator; the dangerous-looking commands, secrets, and file paths are example inputs meant to be blocked or redacted, not actions the skill executes.

Install only if you understand this is a policy decision helper, not a complete enforcement boundary. Configure policy.yaml for your environment, execute only sanitizedAction after an ALLOW decision, fail closed on unexpected action types or evaluator errors, and keep dependencies patched.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (7)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The manifest defines a network request that can fetch and potentially act on remote content, but it provides no trigger scope, activation constraints, or user-consent boundaries. In this file, that risk is amplified by the request targeting a raw GitHub install script and including a hard-coded API key header, creating a broad, potentially abusable outbound request capability with unclear invocation conditions.

External Transmission

Medium
Category
Data Exfiltration
Content
"action": {
    "type": "http_request",
    "method": "GET",
    "url": "https://api.github.com/repos/octocat/Hello-World",
    "headers": {
      "authorization": "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.abc.def"
    }
Confidence
90% confidence
Finding
https://api.github.com/

Credential Access

High
Category
Privilege Escalation
Content
{
  "action": {
    "type": "file_read",
    "path": "~/.ssh/id_rsa"
  },
  "context": {
    "workspaceRoot": "/workspace",
Confidence
99% confidence
Finding
~/.ssh/id_rsa

Known Vulnerable Dependency: js-yaml==4.1.0 — 2 advisory(ies): CVE-2026-53550 (JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases); CVE-2025-64718 (js-yaml has prototype pollution in merge (<<))

Low
Category
Supply Chain
Confidence
88% confidence
Finding
js-yaml==4.1.0

Known Vulnerable Dependency: minimatch==9.0.5 — 3 advisory(ies): CVE-2026-27904 (minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regu); CVE-2026-26996 (minimatch has a ReDoS via repeated wildcards with non-matching literal in patter); CVE-2026-27903 (minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adja)

High
Category
Supply Chain
Confidence
95% confidence
Finding
minimatch==9.0.5

Tool Parameter Abuse

High
Category
Tool Misuse
Content
{
  "action": {
    "type": "exec",
    "command": "rm -rf /"
  },
  "context": {
    "workspaceRoot": "/workspace",
Confidence
98% confidence
Finding
rm -rf /

Tool Parameter Abuse

High
Category
Tool Misuse
Content
{
  "action": {
    "type": "exec",
    "command": "rm -rf /"
  },
  "context": {
    "workspaceRoot": "/workspace",
Confidence
98% confidence
Finding
rm -rf /"

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.