Back to skill

Security audit

Smartclaws Master Agent

Security checks across malware telemetry and agentic risk

Overview

This skill is a clearly disclosed SmartClaws control procedure that can command configured devices and write on-chain logs, with no evidence of hidden or unrelated behavior.

Install this only if you intentionally use SmartClaws and are comfortable letting an authorized agent run single control cycles that may command configured devices and write persistent on-chain decision logs. Review AGENTS.md and SMARTCLAWS.md carefully before use, especially which callers are authorized and which devices are marked commandable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The invocation text uses broad trigger phrases like 'check devices and decide' and 'audit recent decisions', which can match ordinary user requests and cause the skill to run in contexts the user may not realize will perform on-chain reads, commands, notifications, or logging. In this skill's context, accidental activation is more dangerous because a single run may publish a device command and always writes an on-chain decision log.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill description and procedure do not present an upfront user-facing warning that running the skill can command devices and permanently log decisions on-chain. This is risky because users may ask for analysis or auditing and unknowingly trigger irreversible or externally visible side effects, including device actuation and publication of reasoning data.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.