MaxClaw User Guide

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only MaxClaw guide; the main caution is to treat Telegram bot tokens as secrets when following its setup steps.

Safe to install as a guide. When following it, paste Telegram bot tokens only into the intended MaxClaw settings field, avoid sharing screenshots or logs containing the token, review community skills before installing them, and remember that MaxClaw scheduled tasks and memory can continue or retain context until disabled.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The guide instructs users to copy and paste a Telegram bot token but never labels it as a secret credential or warns against exposing it in chats, screenshots, logs, or shared workspaces. If mishandled, an attacker who obtains the token can control the bot integration, impersonate the bot, or disrupt/confidentially access bot-driven workflows tied to the MaxClaw account.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal