Back to skill

Security audit

Security Monitor

Security checks across malware telemetry and agentic risk

Overview

This security monitor does mostly expected host checks, but it also reads a credentials file and does not honor its advertised threat selection, so it should be reviewed before installation.

Install only if you are comfortable giving this skill access to host logs, process and port listings, Docker status, /root/clawd paths, and /root/clawd/skills/.env. Before use, remove or patch the .env content read, do not rely on --threats for scoping until fixed, run with the least privilege that still supports the checks you need, and protect or rotate the generated alert and state files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill advertises credential-usage monitoring, but this code does not analyze usage patterns at all; it reads a sensitive .env file and only checks whether certain provider names appear. That creates unnecessary access to secret-bearing material and can mislead operators into believing credential misuse is being monitored when it is not.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The code reads /root/clawd/skills/.env in full even though the stated purpose is security monitoring, not secret retrieval. Reading sensitive credential files expands the blast radius of any compromise, increases the chance of accidental disclosure through future logging/debugging changes, and violates least-privilege design.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The comment and feature framing imply unusual API key usage detection, but the implementation only detects credential-name presence in a local file. This mismatch is dangerous because it can create false assurance during incident response while still needlessly touching sensitive configuration.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The monitor accesses a sensitive .env file without any user-facing disclosure, consent boundary, or clear operational notice. In an agent skill context, hidden credential-file access is more dangerous because users may install monitoring functionality expecting log inspection, not direct secret-file reads.

Credential Access

High
Category
Privilege Escalation
Content
// This is a simplified check - real implementation would need API integration
  
  try {
    const envContent = fs.readFileSync('/root/clawd/skills/.env', 'utf8');
    
    if (envContent.includes('TWITTER') || envContent.includes('KAPSO')) {
      log('INFO', 'API credentials present', {
Confidence
98% confidence
Finding
.env'

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/monitor.cjs:79