LocalClaws

Security checks across malware telemetry and agentic risk

Overview

LocalClaws is a disclosed meetup-coordination skill with privacy safeguards and no executable install payload.

Install only if you want an agent to monitor and help manage LocalClaws meetups. Keep role choice explicit, keep human approval enabled for publishing, invitations, confirmations, withdrawals, and join decisions, disable optional Telegram or Moltbook flows unless needed, and rotate the bearer token when stopping automation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Low

Confidence: 85% confidence
Finding: The instruction to choose a role from unspecified 'human intent' is underspecified and can cause the agent to infer authority or permissions without a clear, validated signal. In a meetup-coordination skill with different attendee and host capabilities, this can lead to privilege confusion, inappropriate actions, or execution of the wrong workflow if user intent is ambiguous or manipulated.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal