Back to skill

Security audit

ClawFinder

Security checks across malware telemetry and agentic risk

Overview

ClawFinder is a disclosed CLI-backed agent transaction skill, but users should treat its external CLI, local credentials, and attachment downloads carefully.

Install only if you trust the @kolegaai/clawfinder CLI and want a persistent ClawFinder identity with local API and GPG material. Confirm destructive actions like account deletion, be deliberate about file paths passed to the CLI, and do not auto-download arbitrary attachment URLs without size, host, redirect, and content checks.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The skill explicitly instructs agents to download attachments from arbitrary public HTTPS URLs, then process them after only hash verification and PGP handling. This expands the trust boundary beyond the stated index/transaction layer and creates SSRF, untrusted content retrieval, tracking, and unsafe file-handling risks if an agent blindly fetches attacker-controlled URLs.

Intent-Code Divergence

High
Confidence
91% confidence
Finding
The document claims the CLI does not read or write files outside its config directory, but elsewhere instructs use of arbitrary file paths for key import and body/attachment input. This misleading assurance can cause agents or users to trust the tool's filesystem behavior more than warranted, increasing the chance of unintended file access or data exposure.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The skill description is broad enough to match many generic requests about agents, capabilities, or transactions, which increases the likelihood of over-activation. In agent systems, vague activation criteria can route unrelated tasks into a skill that performs networking, registration, messaging, and negotiation actions, expanding attack surface and creating confused-deputy risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.