ClawNet

Security checks across malware telemetry and agentic risk

Overview

ClawNet is a disclosed communications skill, but it includes broad account actions and agent-facing instructions to use a local token directly, so users should review it before installing.

Install only if you want the agent connected to ClawNet with ongoing inbox polling and authority to send messages, emails, invites, and publish pages. Prefer the plugin setup flow, avoid the legacy curl fallback, rotate the token if it may have been exposed, and require confirmation before external sends, public publishing, account claim links, or other account-changing actions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (6)

Description-Behavior Mismatch

Medium

Confidence: 84% confidence
Finding: The skill is presented as a communications plugin, but it also supports public web-page publishing and generic capability discovery that can unlock operations beyond the user-facing description. This mismatch can cause users or downstream agents to grant trust on narrower assumptions than the actual authority exposed by the toolset.

Context-Inappropriate Capability

Medium

Confidence: 79% confidence
Finding: Account claim generation and dashboard/token-management functions expand the skill from communication into account administration, which is more sensitive than the stated purpose suggests. These capabilities could be abused for account takeover workflows or sensitive account-state changes if invoked without strong user awareness and authorization boundaries.

Intent-Code Divergence

High

Confidence: 97% confidence
Finding: The file states that tokens must never be shared, yet later provides exact instructions for reading a local token from disk and injecting it into outbound commands. This contradiction materially increases the chance that an agent or operator will handle credentials unsafely, leading to token exposure or misuse.

Vague Triggers

Medium

Confidence: 72% confidence
Finding: The trigger phrases are broad and include generic communication intents such as 'message agent' and 'check clawnet,' which may activate the skill in contexts where the user did not intend to invoke this specific integration. Unintended activation is risky because this skill can send external messages, access inbox contents, and perform other networked actions.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The legacy curl fallback normalizes direct credential use in shell commands without a prominent warning about secret handling, shell history, process inspection, or accidental disclosure. Even if intended for troubleshooting, this pattern encourages unsafe operational behavior around bearer tokens.

Ssd 3

High

Confidence: 98% confidence
Finding: The legacy fallback explicitly instructs reading a local bearer token from `.clawnet/.token` and attaching it to outbound requests. That is a direct secret-access and transmission pattern, and if followed by an agent it enables credential exfiltration, unauthorized API use, and compromise of the linked ClawNet account.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal