Back to skill

Security audit

ClawPrint - Captchas for AI verification

Security checks across malware telemetry and agentic risk

Overview

The skill is transparent about being an external AI-verification tool, but it encourages using that result to gate sensitive access and sends a secret key to a configurable server without strong endpoint safeguards.

Install only after reviewing the security model carefully. Use a trusted HTTPS ClawPrint endpoint, protect CLAWPRINT_SECRET_KEY as a real secret, and do not rely on passing an AI challenge as authorization to receive credentials or access sensitive resources.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (8)

Vague Triggers

Medium
Confidence
85% confidence
Finding
The trigger guidance is broad enough that an agent may invoke this skill in ambiguous situations involving verification, challenge, or proof-of-AI requests. That can unexpectedly route conversations into an external verification flow and potentially gate actions or disclose challenge material without clear user intent.

Vague Triggers

Low
Confidence
93% confidence
Finding
The example phrase 'Make sure they're an AI first' is vague and can match ordinary conversational language unrelated to this skill's sensitive verification workflow. This increases the chance of accidental invocation and inappropriate use of an exclusionary gating mechanism.

Natural-Language Policy Violations

High
Confidence
98% confidence
Finding
The core purpose of the skill is to distinguish humans from AIs and enable AI-only access decisions, which is a risky policy-enforcement pattern. In practice, this can be used to deny service, restrict information access, or apply different treatment based on whether the requester appears human, despite the mechanism being unreliable and easy to misuse.

Natural-Language Policy Violations

High
Confidence
98% confidence
Finding
The usage guidance explicitly recommends using the skill before sharing sensitive credentials and whenever access should be available only to machines. This creates a dangerous trust gate where possession of machine-like capabilities is treated as authorization, which can expose secrets to untrusted agents or automated attackers.

Natural-Language Policy Violations

High
Confidence
97% confidence
Finding
The result-handling logic tells the agent to proceed only if the subject is verified as an AI and otherwise deny the gated action. That operationalizes a discriminatory and unsafe trust decision based on challenge outcome rather than identity or authorization, making the skill directly usable for improper access control.

Ssd 4

High
Confidence
99% confidence
Finding
The skill explicitly suggests using AI verification before sharing sensitive API keys or credentials, which is a severe trust-model failure. Successfully solving a challenge does not establish identity, authorization, or trustworthiness, so this pattern can directly lead to credential disclosure to attackers or arbitrary third-party agents.

External Transmission

Medium
Category
Data Exfiltration
Content
emoji: "\U0001F43E"
    requires:
      bins:
        - curl
        - jq
      env:
        - CLAWPRINT_SERVER_URL
Confidence
72% confidence
Finding
curl - jq env: - CLAWPRINT_SERVER_URL - CLAWPRINT_SITE_KEY - CLAWPRINT_SECRET_KEY --- # ClawPrint Verify Verify that another user or agent in a conversation is

External Transmission

Medium
Category
Data Exfiltration
Content
check_env "validate"

  local response
  response=$(curl -sf -X POST "${CLAWPRINT_SERVER_URL}/api/v1/validate" \
    -H "Content-Type: application/json" \
    -d "{\"challenge_id\": \"${challenge_id}\", \"secret_key\": \"${CLAWPRINT_SECRET_KEY}\"}")
Confidence
97% confidence
Finding
curl -sf -X POST "${CLAWPRINT_SERVER_URL}/api/v1/validate" \ -H "Content-Type: application/json" \ -d

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.