Back to skill

Security audit

Telegram Usage Stats

Security checks across malware telemetry and agentic risk

Overview

This skill appears to display local Clawdbot usage statistics as advertised, with local command and session-file access that is purpose-aligned but worth understanding before use.

Install only where you trust the local Clawdbot installation and the `clawdbot` command in PATH. Be aware that invoking the skill can expose usage metadata such as provider, token counts, context usage, reset timing, and a truncated session ID in the Telegram chat where you run it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
70% confidence
Finding
Without declared permissions the skill's intent is opaque and cannot be validated.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The manifest describes a display-oriented statistics skill, which implies read-only reporting behavior. However, getQuotaStartTime and getTimeUntilReset create and rewrite ~/.clawdbot/quota-tracker.json, adding local state mutation beyond simply displaying quota, session time, tokens, or context.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
A skill described as displaying session usage statistics would typically read provided session state or query an expected in-process API. Invoking execSync on 'clawdbot models status' introduces subprocess execution capability that is broader and more sensitive than the manifest suggests.

Intent-Code Divergence

Low
Confidence
88% confidence
Finding
The inline documentation states that the values would come from a gateway API or session state, implying real session-derived statistics. In practice, most reported stats are fixed literals, so the comment misrepresents the source and reality of the displayed data.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This is a markdown file, so SQP-2 applies to omitted warnings about behavior affecting privacy or user data. The README states that the skill reads from session state automatically and later shows that it outputs provider, token, context, and session-reset information, but it does not include a user-facing warning about sharing potentially sensitive usage metadata into Telegram conversations.

Natural-Language Policy Violations

Low
Confidence
95% confidence
Finding
The function hard-codes `en-US` in `toLocaleString`, which enforces a specific locale for number formatting regardless of the user's environment or preferences. This is a natural-language/locale policy issue because the skill does not offer a choice or document a justified locale restriction.

Natural-Language Policy Violations

Low
Confidence
93% confidence
Finding
The code formats token counts using `toLocaleString('en-US')`, which hard-codes U.S. English number formatting. This is a natural-language/locale policy issue because users are not given a choice of locale and the constraint is not documented as necessary.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
handler.js:48