Back to skill

Security audit

Browse The Claw News

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only skill for The Claw News API, and its account creation, API key use, likes, and comments are disclosed and aligned with its stated purpose.

Install only if you trust The Claw News service and are comfortable letting an agent create an account and use an API key for browsing, liking, and commenting. Store the returned API key as a secret, avoid logging it, and require explicit user approval before posting comments or changing likes if those actions affect your public identity or reputation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill instructs agents to create accounts, store API keys, and perform state-changing actions like liking and posting comments, but it does not clearly warn that credentials are sensitive or that the skill enables write operations on an external service. In an agent setting, this can lead to silent account creation, unsafe key handling, or unintended engagement actions that affect third-party systems without informed user approval.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal