Back to skill

Security audit

clawphone

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate agent messaging skill, but Direct mode is plaintext and it keeps local contact and call-log data.

Install only if you want agents to exchange messages. Prefer ClawMesh for untrusted networks, treat Direct mode as unauthenticated plaintext, avoid sending sensitive content through Direct mode, and be aware that contacts and outgoing message logs are stored locally in the clawphone SQLite database.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The code treats DirectAdapter.send as if it were synchronous, but the DirectAdapter defined in this file implements send as an async coroutine. In Python, calling an async function without awaiting it returns a truthy coroutine object, so calls may be logged as successful even when no network transmission occurred, undermining delivery guarantees and audit integrity.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The documentation states that a phonebook is stored in a local SQLite database under the user's home directory, but it does not clearly warn users that contact identifiers and related metadata persist on disk. This can create privacy and forensic exposure on shared machines, managed endpoints, or environments where users assume messaging metadata is ephemeral.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The direct transport sends JSON message content over raw TCP with no authentication, encryption, or integrity protection. Any actor on the relevant network path or any process able to connect to the listening socket can read or spoof call content, making interception and message forgery straightforward.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill persistently stores phonebook entries and call logs in a predictable path under the user's home directory without any apparent access-control hardening, encryption, retention policy, or user consent flow. On multi-user systems or compromised hosts, this increases exposure of sensitive contact and communication metadata.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
This demo collects a peer address and arbitrary message content from the user, then sends it over a direct P2P channel without presenting any warning about exposing network metadata or the possibility that communications may be unencrypted or observable by peers/intermediaries. In context, this is an interactive example rather than covert exfiltration, so the issue is primarily negligent disclosure/unsafe UX rather than malicious behavior, but it can still cause users to share sensitive data or connect to untrusted endpoints without understanding the risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.