ClawHub
Back to skill

Security audit

yan-watchman

Security checks across malware telemetry and agentic risk

Overview

This documentation-only skill describes sensitive cross-platform message monitoring and local skill publishing steps without shipping the claimed code or defining clear privacy and control boundaries.

Review carefully before installing or running. Do not execute the build or publish commands unless the maintainer provides the full source tree and configuration, and only deploy message monitoring after confirming platform terms, user or admin authorization, storage location, retention, and deletion controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill explicitly advertises continuous multi-platform message monitoring, importance scoring, and SQLite persistence, but provides no privacy notice, consent requirements, retention policy, or discussion of handling potentially sensitive message content. In a monitoring tool, this omission can lead users to deploy it against external messaging platforms without understanding surveillance, data protection, or policy compliance risks.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The usage section instructs users to run the tool directly as a background/continuous monitoring system for external messaging platforms without any warning about API terms, organizational approval, user consent, or the operational risks of always-on collection. That makes accidental non-compliant deployment more likely, especially because the surrounding text urges immediate release and use.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal