Back to skill

Security audit

clawsec-nanoclaw

Security checks across malware telemetry and agentic risk

Overview

This appears to be a genuine security skill, but it needs Review because agents can automatically restore or approve protected NanoClaw files and the docs do not consistently make that authority clear.

Install only if you want ClawSec to do host-side integrity enforcement, not just advisory checks. Before enabling it, review guardian/policy.json, restrict these tools to trusted/admin agents, run checks with autoRestore=false first, require human approval for baseline changes, and preserve backups of the soul-guardian state, audit log, patches, and quarantine files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (23)

Lp3

Medium
Category
MCP Least Privilege
Confidence
81% confidence
Finding
The skill exposes capabilities that imply access to environment data and network resources, but those permissions are not explicitly declared. That creates a trust and review gap: operators may install the skill believing it is narrower in scope than it is, while the skill can still reach external advisory feeds and potentially process local environment-dependent paths.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The declared purpose is security advisory checking, but the documented toolset also includes integrity monitoring, auto-restore of files, baseline approval, audit log management, and package signature verification. That mismatch materially expands the operational authority of the skill, increasing the risk of unexpected file system modification or persistence-related behavior under the guise of a simpler advisory tool.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The documentation conflates Ed25519 with a hash-then-sign workflow using `openssl dgst -sha512`, and later describes verification as signing a SHA-512 hash. Ed25519 does not use that external API/mental model, so operators or implementers may build incompatible or incorrect verification logic, causing signature checks to fail open, be bypassed, or create a false sense of package authenticity.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The document says `.sig` files are base64-encoded text, but the shown signing command writes raw binary output. This mismatch can cause agents, publishers, or tooling to decode, transport, or parse signatures incorrectly, leading to failed verification or pressure to weaken checks to get installs working.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The key rotation guidance says agents can verify with either old or new key during a transition, but the policy elsewhere states only a single pinned key is supported and runtime key overrides are forbidden. In practice this can break rotation, strand users on a compromised or obsolete key, or encourage ad hoc trust bypasses during emergencies.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
This handler exposes host-side integrity enforcement operations to container-originated IPC requests, including checks that can trigger file restoration and administrative workflows that affect host state. For a skill presented as a security review/advisory tool, this is a dangerous scope expansion because an agent can influence protected host files rather than only inspect or report on them.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code permits file-change approval via monitor.approveChange() and can invoke integrity checks with auto-restore enabled by default, giving an agent a path to bless modifications or revert files on the host. Those are privileged change-control operations that exceed the apparent purpose of a vulnerability-checking skill and could be abused to hide tampering, legitimize malicious edits, or overwrite legitimate changes.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The handler explicitly permits any IPC source group to invoke 'refresh_advisory_cache' with no authorization check, allowing untrusted or low-privilege agents to trigger a host-side network/cache operation. While this does not directly expose secrets or execute code, it broadens agent influence over host behavior and can be abused for denial of service, unnecessary outbound traffic, log noise, or repeated refresh attempts against the advisory source.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill is presented as a security/vulnerability checking aid, but it also exposes state-changing integrity management functions, including automatic restoration and baseline approval. In a security-review context, this expands the trust and authority of the skill beyond observation into modification, which can be abused to overwrite evidence of tampering or normalize unauthorized changes.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The approval tool accepts an arbitrary absolute path and submits it for baseline approval, allowing modified files to be marked as trusted. If an attacker or compromised agent can invoke this tool, they can legitimize malicious file changes and defeat future integrity alerts, undermining the entire integrity-monitoring model.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The integrity check operation defaults to enabling autoRestore and sends restoration instructions through IPC during what appears to be a check action. A security-audit skill that silently modifies files can destroy forensic evidence, revert legitimate pending work, or be abused to force host-side file writes under the guise of integrity enforcement.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation advertises automatic restoration of critical files and later describes quarantine/patch handling, but it does not prominently warn that legitimate user changes may be reverted or retained in state directories. In an operational security skill, this can cause accidental loss of intended edits or confusion during incident response if users enable the feature without understanding the restore and retention consequences.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The troubleshooting section instructs users to delete the entire integrity state directory with rm -rf in order to reinitialize baselines, without a prominent warning that this destroys baselines, approved snapshots, audit history, and forensic artifacts. In a security product, such guidance can erase the very evidence needed to investigate tampering and can reset trust anchors after compromise.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The audit-log reset guidance tells users to remove audit.jsonl and let logging restart, but does not clearly warn that this irreversibly discards historical security records. Because the file is security evidence, deleting it can blind responders to prior malicious activity and weaken tamper investigation.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The cleanup instructions recommend deleting quarantined files after review, but do not emphasize that those files may be needed later for investigation, evidence preservation, or recovery. In the context of an integrity-monitoring skill, removing quarantined artifacts too casually undermines post-incident analysis.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The monitor will automatically overwrite drifted files when a baseline is in restore mode and autoRestore is enabled, without any explicit approval step, dry-run safeguard, or user-facing confirmation at the time of restoration. In a security tool this can be intentional, but it is still dangerous because a bad baseline, policy mistake, or compromised state directory can cause legitimate updates or local changes to be silently replaced, resulting in destructive rollback and possible denial of service.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Integrity restoration is effectively enabled by default because checkIntegrity(autoRestore !== false, 'agent') restores unless the caller explicitly disables it. That means a routine check request can silently mutate host files without a user-facing confirmation, risking destructive rollback of legitimate updates and creating an avenue for an agent to trigger host changes unexpectedly.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The tool description mentions restoration behavior, but execution defaults to autoRestore unless the caller explicitly disables it, with no mandatory confirmation step. This creates a risky surprise side effect where invoking a 'check' can alter protected files, making accidental or coerced misuse more likely.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Baseline approval is a high-trust action, but the tool performs it immediately without any interactive warning, confirmation, or authorization signal beyond approvedBy: 'agent'. This makes it easy for a prompt-injected or mistaken agent workflow to permanently trust malicious modifications.

Tool Parameter Abuse

High
Category
Tool Misuse
Content
ls /workspace/project/data/soul-guardian/

# If missing, reinitialize
rm -rf /workspace/project/data/soul-guardian/
# Next integrity check will recreate baselines
```
Confidence
98% confidence
Finding
rm -rf /

Tool Parameter Abuse

High
Category
Tool Misuse
Content
ls /workspace/project/data/soul-guardian/

# If missing, reinitialize
rm -rf /workspace/project/data/soul-guardian/
# Next integrity check will recreate baselines
```
Confidence
98% confidence
Finding
rm -rf /workspace/project/data/soul-guardian/

Tool Parameter Abuse

High
Category
Tool Misuse
Content
// If corruption, backup and reset
cp /workspace/project/data/soul-guardian/audit.jsonl /tmp/audit-backup.jsonl
rm /workspace/project/data/soul-guardian/audit.jsonl
// Audit log will restart on next operation
```
Confidence
97% confidence
Finding
rm /workspace/project/data/soul-guardian/audit.jsonl /

Tool Parameter Abuse

High
Category
Tool Misuse
Content
find /workspace/project/data/soul-guardian/patches/ -mtime +30 -delete

# Clean quarantine (after review)
rm /workspace/project/data/soul-guardian/quarantine/*
```

## Performance
Confidence
95% confidence
Finding
rm /workspace/project/data/soul-guardian/quarantine/

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.