Back to skill

Security audit

Smartclaws Producer

Security checks across malware telemetry and agentic risk

Overview

This skill is coherent for SmartClaws sensor publishing, but it asks for wallet setup, persistent background publishing, unverified binary installation, and an overbroad BLE privilege fix that users should review first.

Install only if you trust the SmartClaws release source and are comfortable creating a local funded wallet and publishing sensor readings on-chain. Prefer a user-local install, pin and verify the downloaded binary when possible, fund the wallet minimally, do not share ~/.smartclaws contents or command output that may expose secrets, review generated publisher scripts, and avoid applying raw network capabilities to the system Python binary.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The instructions tell the user to run wallet initialization that creates blockchain wallet material under ~/.smartclaws/, but they do not warn that private keys/seed data may be generated and stored locally. Users may expose or mishandle wallet secrets, especially when following automated setup steps or sharing command output, leading to wallet compromise and loss of control over the registered device identity.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.