Security audit

clawping

Security checks across malware telemetry and agentic risk

Overview

This skill is a real ClawBond social integration, but it grants broad authority to post, message, store conversations, and use account tokens with too little per-action control.

Install only if you are comfortable with a ClawBond agent acting on your account: posting publicly, commenting, starting DMs, refreshing profile-derived persona data, and retaining DM history locally. Prefer draft/confirmation-first use, avoid enabling heartbeat until you understand the automation, protect the ~/.clawbond directory, and treat benchmark runs as a separate authenticated data-sharing workflow.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (17)

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: This file defines benchmark creation, answer submission, artifact upload, and score reporting inside a skill whose declared purpose is social-platform interaction. That capability expansion is dangerous because it enables authenticated actions against a different remote service and broadens the skill’s authority beyond user-expected scope, increasing the chance of surprise execution and misuse of stored credentials.

Context-Inappropriate Capability

High

Confidence: 95% confidence
Finding: The benchmark/scoring workflow is unrelated to the justified social-networking use case and introduces a full remote assessment pipeline, including run creation, submissions, finalize, and results retrieval. In the context of a social skill, this hidden capability expansion is risky because users may not expect authenticated evaluation actions or external data transmission to a benchmark service.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The skill explicitly allows autonomous posting unless the user said 'draft only', which expands behavior from assisting with social actions into initiating external communications by default. Because posting is performed on behalf of a bound user account, this can cause unintended disclosure, reputational harm, or actions the user did not knowingly authorize.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The skill says comment flows should automatically evaluate and enter DM without asking the user, directly contradicting the metadata's promise that DM and related social actions occur with user awareness. Unprompted private outreach is more sensitive than public commenting and can expose user intent, leak context, or create unwanted contact with third parties.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill instructs the agent to read a local access token from credentials.json and use it for authenticated requests, but it does not require explicit user disclosure or confirmation at the point of use. In a skill already mis-scoped relative to its social purpose, silent credential use and network transmission materially increase the risk of unauthorized or surprising account actions.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill explicitly requires DM conversation files to be retained indefinitely on disk without any retention limit, consent checkpoint, or deletion path. Because these files contain social messages, relationship context, and potential handoff details, permanent local storage increases the blast radius of host compromise, shared-machine access, backups, or later unintended reuse.

Natural-Language Policy Violations

Medium

Confidence: 79% confidence
Finding: Forcing all local message timestamps to Asia/Shanghai can create misleading audit trails and make incident review, consent verification, and chronology reconstruction inaccurate for users in other locales. While not a direct compromise by itself, incorrect timestamps can undermine accountability and make sensitive social activity harder to interpret correctly.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill instructs the agent to use a bearer token to call a profile API and then overwrite local persona state, but this section does not require a fresh user-facing notice or consent checkpoint for the data refresh itself. Because the skill persists credentials and local social state, silent background collection and storage of profile data increases privacy risk and could normalize authenticated data processing without sufficiently clear transparency to the user.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: This section encourages proactively posting and searching for people based on inferred user needs, but it does not pair that with an explicit risk notice or approval checkpoint for autonomous external engagement. In a social platform context, inferred outreach can reveal plans, interests, or personal context to outsiders without sufficiently informed consent.

Missing User Warnings

High

Confidence: 97% confidence
Finding: Automatically escalating from comments to DMs without re-confirmation lacks the explicit warning and consent expected for private external messaging. Because DM is a higher-risk channel, the missing warning materially increases the chance of unauthorized disclosures, social engineering exposure, and reputational damage.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The skill instructs the agent to log every sent and received DM locally and keep the files forever, including message bodies and identifiers. In a DM/relationship-building context, this predictably accumulates sensitive personal, behavioral, and business information, making data exposure significantly more harmful if the endpoint, home directory, or backups are accessed.

Ssd 3

Medium

Confidence: 77% confidence
Finding: The skill directs long-term retention of interaction history, including conversations and engagement records, under a local state directory. Persistent storage of social history and DMs increases privacy exposure, especially if the host is shared, compromised, or backups are broadly accessible; the danger is amplified because retention is effectively unlimited for conversations.

Ssd 3

Medium

Confidence: 75% confidence
Finding: The prompt explicitly instructs the system to remember user interests and build a preference profile over time. That creates ongoing profiling risk and can accumulate sensitive behavioral data without clear minimization, expiration, or explicit consent controls.

Ssd 3

Medium

Confidence: 86% confidence
Finding: This flow fetches the bound user's profile from the platform and writes owner identity, bio, interests, and inferred style into a local persona file. Replicating personal profile data locally broadens the attack surface and may expose sensitive user attributes beyond what is necessary for binding, especially when combined with other local state files.

External Transmission

Medium

Category: Data Exfiltration
Content: ### 1. 创建 Run ```bash curl -s -X POST "${BENCHMARK_BASE}/api/benchmark/runs" \ -H "Authorization: Bearer ${TOKEN}" \ -H "Content-Type: application/json" \ -d '{}'
Confidence: 90% confidence
Finding: curl -s -X POST "${BENCHMARK_BASE}/api/benchmark/runs" \ -H "Authorization: Bearer ${TOKEN}" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium

Category: Data Exfiltration
Content: 每道题提交一个，可批量。将步骤 2 中对应维度的答案对象填入 `payload` 字段： ```bash curl -s -X POST "${BENCHMARK_BASE}/api/benchmark/runs/${RUN_ID}/artifacts" \ -H "Authorization: Bearer ${TOKEN}" \ -H "Content-Type: application/json" \ -d '{"artifacts":[{"case_id":"CASE_ID","artifact_type":"submission","payload":{对应维度的答案对象}}]}'
Confidence: 92% confidence
Finding: curl -s -X POST "${BENCHMARK_BASE}/api/benchmark/runs/${RUN_ID}/artifacts" \ -H "Authorization: Bearer ${TOKEN}" \ -H "Content-Type: application/json" \ -d

Credential Access

High

Category: Privilege Escalation
Content: **BENCHMARK_BASE**：固定为 `https://benchmark.clawbond.ai`，operator 可覆盖。 **TOKEN**：从 `${AGENT_HOME}/credentials.json` 读取 `agent_access_token`（见 `init/SKILL.md`）。 **保密原则**：token 及凭证不得打印或在对话中展示。
Confidence: 94% confidence
Finding: credentials.json

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal