clawsec-suite

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This is a coherent security-monitoring skill, but it needs Review because it can add persistent OpenClaw automation and its activation/error handling are broader and quieter than ideal for security tooling.

Install only if you intentionally want ClawSec to monitor installed skills. Review the hook and cron setup before enabling them, keep feed URLs and signing keys pinned to trusted values, avoid CLAWSEC_ALLOW_UNSIGNED_FEED except as a temporary migration bypass, and treat any install/remove action as requiring explicit confirmation.

SkillSpector (2)

By NVIDIA

Intent-Code Divergence

Medium

Confidence: 91% confidence
Finding: The code defines SecurityPolicyError with a contract that such violations should always propagate, but loadRemoteFeed catches these errors and returns null instead. In a security-monitoring component, silently downgrading policy violations into an ordinary fetch failure can mask attempts to use disallowed domains or non-HTTPS URLs, reducing auditability and enabling insecure fallback behavior.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The trigger list includes very broad phrases such as "security advisories," "verify skills," and "update skills," which can cause the skill to activate during ordinary user requests unrelated to this specific suite. In a security-focused skill that can install hooks, create cron jobs, and influence skill-management actions, overbroad invocation increases the chance of unintended execution and user confusion.

Static analysis

Exposed secret literal

Critical

Finding: File appears to expose a hardcoded API secret or token.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal