ClawHub

Clawprint-skill

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it exposes broad authenticated access to a sensitive business-formation API with inconsistent scope and weak credential-safety guidance.

Review carefully before installing. Only use this with a dedicated Clawprint account/key, keep the secret key out of chats, logs, screenshots, shell history, and source control, verify the live products list before each action, and require explicit human approval before creating businesses, submitting sponsor/KYC data, or using any banking/payment-related capability.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (11)

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The skill is presented as a narrowly scoped LLC-formation tool, but the documented interface enables generic HTTP request construction with arbitrary methods, paths, query strings, and JSON bodies, plus credentialed access using stored keys. That mismatch materially expands capability beyond the stated purpose and can let an agent invoke unintended or future API endpoints, increasing the risk of overbroad external actions, data access, or abuse under the user's credentials.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The README states that Clawprint lets AI agents form LLCs, open bank accounts, and accept payments, which materially exceeds the stated skill purpose of LLC formation. This kind of capability inflation can mislead agents or operators into invoking the skill for financial actions they may assume are supported or authorized, increasing the chance of unsafe delegation, policy bypass, or unintended transmission of sensitive business data to a third-party service.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The README presents banking and payment capabilities as currently available near the top, but later lists them as future features. This inconsistency can cause users or autonomous agents to overtrust the skill and attempt sensitive financial workflows under false assumptions, which is especially risky in a tool intended to create real-world legal entities and potentially handle regulated operations.

Description-Behavior Mismatch

Medium
Confidence
83% confidence
Finding
The package metadata claims capabilities beyond LLC formation, specifically opening bank accounts and accepting payments, which expands the apparent operational scope of the skill beyond its stated purpose. In an agent ecosystem, this mismatch can cause unsafe invocation, over-privileging, or user misunderstanding about what the skill is allowed to do, especially in a sensitive financial/legal domain.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The script exposes a generic API client capable of calling arbitrary documented Clawprint endpoints, including user-management operations, while the skill is advertised as narrowly for LLC formation with human sponsor oversight. This capability mismatch materially expands what an agent can do and can bypass expected workflow constraints or human review assumptions tied to the skill’s stated purpose.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The run logic allows callers to supply any path directly or resolve arbitrary routes from /api/products, then invoke them with attacker-controlled method, query, body, and optional credentials. In an agent-skill context, this is dangerous because it turns a supposedly purpose-limited business-formation tool into a broad API executor that may perform unintended account, business, or administrative actions.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The module documentation explicitly advertises a unified CLI for 'any documented route,' contradicting the narrow skill description. In security-sensitive agent ecosystems, this kind of scope deception increases the chance that integrators will grant the skill permissions or trust appropriate for LLC formation while actually exposing a much broader action surface.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The README instructs users to store and use secret keys for authenticated requests, but does not include explicit guidance on credential sensitivity, secure storage, or the fact that these keys will be transmitted to a remote service. In the context of a skill for forming businesses and potentially handling future financial operations, insufficient credential-handling guidance raises the risk of accidental key exposure, unauthorized API use, and compromise of business-related actions.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The setup guide instructs users to run `cat .env` immediately after explaining that `.env` contains `CLAWPRINT_SECRET_KEY` and `CLAWPRINT_PUBLIC_KEY`. Displaying the full file can leak active API credentials into terminal scrollback, screen recordings, shared sessions, CI logs, or pasted troubleshooting output, which is especially risky for a skill handling legal/business-entity operations.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation instructs users to persist newly issued secret credentials in a local .env file, but it does not give strong operational guidance on secure storage, rotation, leakage risks, or safer alternatives. In agentic environments, secrets placed in .env files are commonly exposed through logs, repo commits, workspace reads, or downstream tooling, making credential compromise more likely.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Accepting secret credentials via command-line flags is unsafe because process arguments are often exposed through shell history, process listings, CI logs, and telemetry. This can leak API secrets to other local users or operational systems, enabling unauthorized use of the Clawprint API.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal