ClawGuard Scanner

Security checks across malware telemetry and agentic risk

Overview

This is a coherent security-scanner helper, with the main caution that it tells the agent to run or globally install a third-party npm CLI.

Before first use, verify that the ClawGuard npm/GitHub package is the one you intend to run, and require explicit approval before any global npm install. Prefer a pinned or isolated npx invocation when possible, and treat a clean scan as useful warning signal rather than proof that another skill is fully safe.

SkillSpector

By NVIDIA

Vulnerability Patterns

Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill instructs the agent to run `npm install -g clawguard` if the tool is missing, which performs a global system change and executes package installation code without first requiring explicit user consent. Even if the package is legitimate, automatic installation of global software expands the trust boundary and can expose the host to supply-chain or environment-modification risks.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal