ClawHub

ClawLock

Security checks across malware telemetry and agentic risk

Overview

ClawLock appears to be a real security tool, but it asks the agent to install/update external code and replace its own skill file during normal scan flows, so it needs review before installation.

Install only if you trust both the ClawLock PyPI package and the GitHub repository, not just this skill text. Prefer offline/report-only scans first, decline in-band self-updates unless you have reviewed the package and skill-file diff, and run red-team tests only against endpoints you own or are authorized to test.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Intent-Code Divergence

High
Confidence
96% confidence
Finding
The document makes contradictory safety claims: it says the skill cannot perform real attacks or verify exploitability, yet earlier instructions explicitly enable red-team testing that can send attack payloads to a target endpoint. This can mislead users and operators about the operational risk, consent requirements, and network effects of using the skill.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The drift-detection section claims it only reads metadata, permissions, and hashes, but the same workflow also says it scans file contents for prompt-injection and encoding-obfuscation patterns. This inconsistency creates a privacy/transparency issue because users may consent under a narrower data-access model than what the skill actually describes.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill's documented behavior goes beyond passive scanning and includes self-update actions that install packages and replace local skill files from remote sources. That expands the trust boundary from analysis into code/data modification and creates supply-chain risk if the update source, transport, or version selection is compromised.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The file claims static-analysis-style safety boundaries, but later instructs the agent to perform hardening edits, backups, rollback state management, and watch-mode monitoring. This mismatch can cause users or host systems to grant the skill more trust than warranted, while the actual workflow includes persistent local changes and ongoing monitoring behavior.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The document states the tool cannot execute real attacks, yet it advertises red-team and jailbreak testing against endpoints. Even if framed as security testing, this is active interaction with targets and may trigger harmful or unauthorized behavior if used against production or third-party systems.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The file says the LLM only explains tool output, but the hardening workflow explicitly authorizes the LLM to locate files, propose edits, back up originals, and apply changes. This inconsistency weakens user understanding of what the skill may do and increases the chance of unintended config modification.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal