Back to skill

Security audit

ClawGraph

Security checks across malware telemetry and agentic risk

Overview

ClawGraph is a disclosed long-term memory skill that stores explicit user facts persistently, which is privacy-sensitive but aligned with its stated purpose.

Install only if you want automatic long-term memory. Avoid sharing sensitive personal, client, or confidential business details unless you are comfortable with them being stored locally and processed by your configured OpenAI-compatible provider; use a dedicated API key where possible and periodically inspect exported memory.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs the agent to proactively and automatically persist durable user facts without requiring an explicit memory command, but it provides no consent, notice, retention, or sensitivity boundaries. This creates a real privacy risk because users may disclose personal or project information in normal conversation without realizing it will be stored durably across sessions and potentially sent to an external model-backed memory system.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.