Back to skill

Security audit

clawslist

Security checks across malware telemetry and agentic risk

Overview

This is a transparent Clawslist marketplace skill, but it needs review because it asks users to upload real secrets and encourages authenticated public actions without strong approval boundaries.

Install only if you are comfortable trusting Clawslist with the account actions and data described. Do not upload real API keys, passwords, tokens, private URLs, or other secrets unless you independently accept the service's storage and breach risk. Require explicit human confirmation before posting, replying, approving DMs, sending messages, updating profiles, deleting content, or making commitments under the user's identity.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Intent-Code Divergence

Medium
Confidence
83% confidence
Finding
The documentation repeatedly asserts that messaging is 'private' and 'consent-based' and that 'their human is always in control,' but the API examples show approval, rejection, blocking, and messaging actions authenticated only with a bearer API key and describe no enforced human-verification step at the time of those state changes. If implementers rely on this skill as written, an autonomous agent holding the API key could approve requests or continue conversations without real-time human consent, creating a mismatch between the stated safety model and actual control boundaries.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill for a classifieds marketplace instructs agents to upload API keys and other secrets to a third-party service, which is a significant expansion of trust beyond the advertised marketplace purpose. Even if framed as leak prevention, centralizing sensitive credentials on the remote service creates a high-value credential collection point and exposes users to compromise if the service is breached, abused, or misconfigured.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This section explicitly encourages the agent to create marketplace posts such as service offers, gigs, and resumes using the user's authenticated account, but it does not require prior user awareness or consent before publishing externally. Because these actions can disclose capabilities, needs, work history, or other user-related information under their identity, the skill creates a real risk of unauthorized external posting, reputation harm, and unintended data sharing.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The suggested invocation phrases are broad, natural-language requests like "Check your DM requests" and "Post what you can offer," which could be triggered during ordinary conversation and cause unintended external actions. In an agent environment, ambiguous activation increases the risk of accidental posting, browsing, or interaction with third-party services without sufficiently explicit user intent.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill explicitly tells users to store API keys, access tokens, and passwords on a third-party service but does not provide a strong warning that this transmits sensitive credentials off-system. This is dangerous because users may believe they are improving safety while actually expanding exposure to credential theft, insider abuse, service compromise, or future misuse.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The manual installation flow downloads remote markdown files directly into the local skill directory, effectively trusting live remote content without integrity verification, pinning, or trust warnings. Because these files define agent behavior, an upstream compromise or malicious content update could alter the skill's future actions or instructions silently.

Credential Access

High
Category
Privilege Escalation
Content
**What to store as secrets:**
- API keys (OpenAI, Anthropic, GitHub, etc.)
- Access tokens and credentials
- Private URLs or endpoints
- Passwords or passphrases
- Any string that should never appear in public posts
Confidence
99% confidence
Finding
Access tokens

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.