ClawHub

Clawguard Release

Security checks across malware telemetry and agentic risk

Overview

ClawGuard is mostly a local proofing/security utility, but it asks for broad local scan and maintenance authority with weak scoping and some misleading security assurances.

Review this carefully before installing. Use it only if you are comfortable with a skill that reads and records metadata about local files, may inspect Windows system/network state, may contact public NTP servers, and includes cleanup/restore commands that modify files in the working directory. Avoid running it on broad or sensitive folders, and do not rely on its legal, ransomware, or security-scan claims without independent verification.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (26)

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The README advertises file, OS, and network scanning plus ransomware protection even though the skill is described as an offline-first local proof system. This is a scope-expansion and capability-mismatch issue: users may grant broader trust, permissions, or access than expected, increasing the chance of privacy-invasive or system-impacting behavior under a misleading security-focused brand.

Description-Behavior Mismatch

Low
Confidence
72% confidence
Finding
Claiming an offline-first design while documenting use of an external NTP source creates a trust and architectural inconsistency. Even if NTP fallback is optional, external time synchronization can leak metadata, violate strict offline expectations, and undermine user assumptions about isolation.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill claims to be offline-first/local, but it performs outbound UDP requests to public NTP servers. This creates undisclosed network egress, leaks metadata about use, and breaks isolation assumptions users may rely on in sensitive or air-gapped environments.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The module includes system-maintenance functions unrelated to digital proofing, including recursive deletion and config overwrite operations. Bundling these capabilities into a proofing skill expands attack surface and enables accidental or abusive modification of local state beyond the skill's stated purpose.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The command handler exposes cleanup functionality directly to user input, allowing recursive deletion of preset directories without confirmation. In an agent setting, a simple prompt or indirect command trigger could cause destructive local changes unrelated to asset proofing.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The help text states 'No Cloud' and 'Fully Self-hosted' while the code contacts public NTP infrastructure. This is a deceptive security property mismatch that can cause users to deploy the skill in environments where any network egress is prohibited or sensitive.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The function claims to verify file integrity after a ransomware attack, but it only checks whether the supplied proof ID appears anywhere in the stored proof data and never compares the current file hash against the original recorded hash. This can produce false 'verified' results for modified or encrypted files, undermining incident response, recovery decisions, and any downstream insurance or audit use of the result.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The code treats a file as 'proven' and therefore trusted solely by matching its basename against a local proof list, without verifying content, path, signature, or even the unused hash helper. An attacker can rename a malicious file to a listed filename and have it presented as trusted, which can suppress scrutiny and create dangerous false assurance in a security-scanning context.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The file performs broad local network security scanning even though the skill is described as an offline-first digital asset proof/local blockchain tool. This mismatch is dangerous because it expands data access beyond user expectations, creating unnecessary host reconnaissance capability that could be repurposed for surveillance or environment discovery.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
Spawning PowerShell to inspect listening ports is unjustified by the stated proof-system functionality and gives the skill host reconnaissance capabilities. In agent contexts, such capability is risky because it can enumerate services and environment details useful for follow-on attacks or privacy-invasive profiling.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code inspects DNS servers, remote connections, and Wi‑Fi authentication settings without a clear relationship to the skill's advertised purpose. This is dangerous because it gathers sensitive environmental and network posture information that users would not reasonably expect an offline proof tool to access.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The function claims to check for suspicious connections but ignores the collected data and always reports success when the subprocess returns. This can create a false sense of security, causing users or downstream automation to trust a security assessment that was never actually performed.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The file implements Windows host security scanning even though the skill is described as a digital asset proof system. This mismatch is dangerous because users and reviewers may grant broader trust than intended, enabling undisclosed host inspection and collection of sensitive system state.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Executing PowerShell to inspect Windows update state is unrelated to the declared digital asset proof function and creates undisclosed host interrogation capability. In agent ecosystems, hidden system inspection is especially dangerous because it can normalize privileged local reconnaissance under an unrelated brand.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Enumerating listening ports and running processes gives the skill host surveillance capability that is unrelated to its stated purpose. This can expose sensitive environmental information, aid fingerprinting of the machine, and undermine least-privilege expectations for users who installed a different type of tool.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The update-check function always returns a passing result regardless of command output, which can falsely reassure users that the host is secure. Security tooling that silently reports success despite failed or inconclusive checks creates a dangerous integrity issue and may delay remediation of real exposure.

Natural-Language Policy Violations

Medium
Confidence
86% confidence
Finding
The document presents compliance with PRC Copyright Law and recommends use in legal disputes without clearly limiting the claim to that jurisdiction or warning users that evidentiary standards vary by region, court, and case type. In a security-sensitive proof system, this can mislead users into over-relying on the product for legal validity, creating regulatory, consumer-protection, and trust risks if the claim is inaccurate or inapplicable.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README documents scanning, backup, restore, and clean operations without warning about their effects on files, system state, privacy, or network visibility. For a security-branded tool, omission of impact disclosures is dangerous because users may run high-privilege or destructive actions without informed consent, increasing the risk of data loss or over-collection.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The release notes state that the watermark is 'permanently embedded' and describe automatic watermark insertion, but they do not clearly warn users that this irreversibly alters image contents and may overwrite or degrade originals if copies are not preserved. In a digital-asset proof tool, users may process valuable originals in bulk, so lack of an explicit non-destructive workflow warning can lead to accidental data integrity loss and operational harm.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The module creates local data directories and proof-chain files immediately on import, causing side effects before user consent or command execution. Import-time writes are risky in agent ecosystems because simply loading the skill modifies the filesystem and may leave artifacts in unexpected locations.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill sends packets to external NTP servers without clearly informing the user that network communication occurs. Undisclosed outbound traffic is especially dangerous for privacy-sensitive, regulated, or offline-assumed deployments.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Batch proofing recursively walks a folder, reads many files, and records metadata locally without any warning about the scope of access or persistence. In an agent context, this can unexpectedly ingest sensitive data from large directory trees and create durable records of filenames, owners, and hashes.

Missing User Warnings

High
Confidence
98% confidence
Finding
The clean operation recursively deletes directories without warning or confirmation. Even though the target names are fixed, this is dangerous because it can erase local data in the current working tree through a single command and is unrelated to the core proofing function.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The restore function silently overwrites config.json from the latest backup with no warning or integrity validation. This can unexpectedly replace local configuration and, if backups are manipulated, restore attacker-controlled settings.

Vague Triggers

Medium
Confidence
90% confidence
Finding
Using fuzzy matching with very short, generic invocation phrases like "ClawGuard" and "龙虾卫士" increases the chance the skill will trigger on unrelated user text. Because this skill exposes potentially sensitive actions such as scan, export, clean, backup, and restore, accidental activation could cause unintended security-relevant operations or disclosure of local data.

VirusTotal

VirusTotal engine telemetry is currently malicious for this artifact.

View on VirusTotal