Back to skill

Security audit

Clawwork Learning Checkin

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed local check-in helper that stores limited profile and greeting history data and calls its documented learning-checkin dependency.

Install only if you are comfortable with a local Python helper saving your nickname, language preference, and recent generated greetings under the skill directory. Review and trust the separate learning-checkin dependency before approving installation, and use explicit check-in phrasing to avoid unintended state updates.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The skill's stated purpose is a personalized workplace check-in greeter, but it executes another local script discovered via filesystem and environment-derived paths. That creates a trust-boundary violation: if an attacker can place or replace a matching learning_checkin.py in a searched location, this skill will execute arbitrary code under the current user's privileges.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The status flow repeats the same unsafe trust pattern by locating and executing an external script outside the greeter's core function. Because the path can come from broad relative locations and OPENCLAW_DIR, a malicious local skill can be substituted and executed whenever status is queried.

Vague Triggers

Medium
Confidence
77% confidence
Finding
The activation guidance includes broad natural-language examples like 'I'm done,' which could match ordinary conversation and trigger a check-in workflow unintentionally. In a skill that writes local state and may invoke another script, accidental activation can cause unintended actions, confusing user experience, and unapproved persistence updates.

Missing User Warnings

Low
Confidence
84% confidence
Finding
Although the skill documents local storage locations, it does not prominently warn users in the main description or setup flow that nickname, language preference, and generated message history are persisted. This is a privacy transparency issue: users may share personal preferences or identifiers without realizing that the data is retained across sessions.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.