Back to skill

Security audit

ClawFriend

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real ClawFriend social/trading skill, but it needs review because it stores wallet keys, creates autonomous account actions, and extends trust to unreviewed community skills.

Install only if you intend to run a ClawFriend agent with local wallet-key storage, scheduled public social activity, and possible on-chain trades. Use a dedicated low-balance wallet, review or disable cron jobs before registration, avoid installing untrusted community skills, and verify every trade or transfer because blockchain transactions are irreversible.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (59)

Lp3

Medium
Category
MCP Least Privilege
Confidence
85% confidence
Finding
The manifest declares required environment variables and documents network/API usage, but the static finding indicates permissions/capabilities are not formally declared in a machine-enforceable way. This creates a transparency and governance gap: users may install a skill whose actual access to secrets and external services exceeds what the permission model communicates.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill is presented as a social/trading tool, but the documentation describes much broader capabilities: handling private keys, modifying config, deploying cron jobs, automating posting, managing market skills, and transferring assets. This mismatch prevents informed consent and increases the chance that users authorize a much more powerful skill than they intended, especially one with credential and asset-handling capabilities.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The heartbeat documentation defines scheduled automation that can modify the agent profile, post content, and perform repeated social interactions without an explicit approval or safety boundary. In a social-agent skill this behavior is partly in-scope, but the combination of autonomous posting, follow-backs, likes, reposts, and profile changes creates account-impacting behavior that could be abused for spam, manipulation, or unauthorized account actions.

Context-Inappropriate Capability

Low
Confidence
82% confidence
Finding
The documented automatic update check runs in the background every two hours with no user notification, introducing undeclared network activity and a trust channel outside the skill's core social-engagement function. Even if it only checks for updates, silent periodic network access can be leveraged for tracking, unexpected behavior changes, or future supply-chain risk if the update mechanism is not tightly controlled.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The skill instructs the agent to discover and consume community-installed skills from a sibling directory on the local filesystem before handling requests. That effectively extends trust to arbitrary local content outside this skill's reviewed boundary, enabling prompt/script injection and unreviewed behavior chaining through third-party skill documentation.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The documentation explicitly directs execution of scripts from arbitrary community-installed skills. Running local scripts from unverified add-ons creates a direct path to code execution with the agent's available secrets, config, wallet context, and network access, which is substantially more dangerous than the stated social/trading purpose.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The guide substantially broadens the skill from a marketplace/share platform into a generic autonomous automation framework with recurring cron-driven actions. That expansion is dangerous because it encourages unattended external actions across posting, engagement, monitoring, and trading, increasing the attack surface and likelihood of misuse beyond the user's likely expectations for the skill.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
This section instructs autonomous liking and replying on a social platform, including cron scheduling and templated comments. Unsupervised social actions can create spam, reputational harm, platform-abuse issues, and unintended interactions with external parties, especially when framed as default automation behavior.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The content-generation section encourages automated posting on a schedule, including personality-driven and AI-generated output. This creates risk of unattended publication, misleading or low-quality content, and reputational or policy violations if the agent posts externally without human review.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The script is presented as an activation monitor, but upon activation it autonomously performs write actions: updating the agent bio and publishing a tweet. This violates the principle of least surprise and can cause unauthorized account activity on behalf of the user, especially when run unattended as a cron job.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The monitor imports child_process and invokes register.js to change the user's profile, expanding the script's capabilities beyond status checking. Executing a child process from a background monitor increases risk because it enables indirect command execution and unexpected state changes in an unattended context.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The header claims the script only monitors activation status and notifies the user, but the implementation also edits profile data and posts content. This mismatch is dangerous because users and operators may grant trust or schedule the script under false assumptions, leading to stealthy unauthorized actions.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The cronjob definitions automate profile updates, tweet posting, notifications handling, follows, likes, replies, and reposts on a recurring schedule. That behavior materially exceeds a generic buy/sell/trade marketplace description and creates hidden autonomous social activity, which is risky because it can act on behalf of the user without clear, narrowly scoped consent.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
This task schedules repeated social engagement actions and notification responses that are not clearly necessary for the stated marketplace/trading purpose. In context, that makes the automation more dangerous because users may install the skill for trading-related functionality but unknowingly grant continuous social-account activity.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The file implements local notification delivery and extensive cron-job management, which is materially broader than the marketplace/social-agent description provided in the manifest. This capability expansion increases risk because it enables persistence and background tasking that a user would not reasonably expect from the declared skill purpose.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code can create scheduled agent execution through `openclaw cron add`, including isolated sessions, wake modes, delivery controls, and deletion behavior. In the context of a marketplace/trading/social skill, this is a sensitive persistence mechanism that could be used to trigger unattended agent actions beyond the user’s immediate awareness.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The update path hard-codes `visibility: 'public'` while the CLI usage text advertises `--visibility <public|private>`. This means a user attempting a harmless metadata update can unintentionally republish a private skill as public, causing confidentiality loss of skill content or metadata.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The utility module can automatically run `npm install` via a shell command when `ethers` is missing. Even though the command string is fixed, this still gives the skill package-management and code-execution capability that exceeds a normal utility helper and can execute arbitrary install scripts from package metadata or a tampered dependency tree. In a social-agent marketplace skill, silently installing dependencies increases supply-chain and unexpected-execution risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The markdown instructs the system to automatically update the bio and post an initial message upon activation, but it does not warn users that their account/profile will be modified automatically. This lack of notice increases the risk of unintended public-facing changes, reputational harm, and operation of the account in ways the owner did not explicitly approve.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The heartbeat describes autonomous engagement with external social content every 30 minutes, including likes, replies, reposts, mentions, and follows, without an explicit warning about continuous public interaction. In context this is core functionality for a social agent, but undocumented autonomous outward actions materially increase the chance of spam, unwanted endorsements, or policy-violating behavior at scale.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The file states that update checks occur automatically with no user notification, but does not disclose the resulting background network behavior as a privacy and trust concern. Silent recurring network activity is lower risk than autonomous posting, yet still problematic because users may not expect periodic outbound connections from a skill.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill tells the agent to ask the user for an EVM private key and store it in local configuration. Collecting raw private keys is an extremely sensitive pattern that turns the skill into a key custodian; compromise of the host, logs, downstream tools, or malicious skill interactions could directly lead to wallet theft and irreversible asset loss.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guide provides operational trading steps that rely on a local private key and explicitly signs and sends transactions, but it does not prominently warn that these actions create irreversible blockchain transactions and can permanently lose funds if the quote, recipient, network, or contract interaction is wrong. In a skill intended for automation, omission of this warning materially increases the risk of users authorizing real-value trades without informed consent or verification.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The uninstall instructions use `rm -rf` to permanently delete a skill directory but do not include an explicit warning about irreversible data loss or advise verifying the target path before execution. In an agent-oriented skill context, destructive commands in documentation can be copied verbatim and executed with variable substitution mistakes, increasing the chance of unintended deletion.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs an agent to publish tweets and browse/engage on an external platform without any explicit user warning, confirmation, or discussion of publication consequences. This is dangerous because it enables externally visible actions and autonomous social activity that could post unintended, harmful, or policy-violating content under the user's or agent's identity.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.destructive_delete_command, suspicious.env_credential_access (+1 more)

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/activation-monitor.js:112

Documentation contains a destructive delete command without an explicit confirmation gate.

Warn
Code
suspicious.destructive_delete_command
Location
preferences/install-community-skill.md:516

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/utils.js:21

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
preferences/check-skill-update.md:55

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/recover.js:89

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/register.js:145

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/wallet.js:51