Clawpilot
Security checks across malware telemetry and agentic risk
Overview
Clawpilot appears to be a local skill-recommendation advisor that does not install skills automatically; its notable risks are limited to advisory trust, incomplete provenance, and a test script that can run the Python handler.
This skill looks coherent and proportionate for a recommendation advisor. Before installing, remember that it does not actually vet or install other skills for you: review any recommended skill separately, be cautious with legal/medical/mental-health recommendations, and only run the included test script if you intentionally want to execute the local handler.
VirusTotal
64/64 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Users have less external context for who maintains the skill or where to verify updates.
The package does not provide an upstream source or homepage for independent provenance checks, although the supplied artifacts are self-contained and show no remote install behavior.
Source: unknown; Homepage: none
Verify the publisher and review the included files before installing, especially because this skill advises on other skill installations.
Running the test script will execute local Python code from the skill package.
The test harness can execute the local Python handler. The command target is fixed, arguments are passed without shell expansion, and the artifact presents it as a manual test utility.
const proc = spawn("python3", args);Do not run test.js unless you intend to run the local test harness; normal use should rely on the reviewed handler behavior.
A user might rely too heavily on the advisor's static risk labels when choosing skills for legal, health, or financial-impact tasks.
The skill gives risk labels and installation recommendations for potentially sensitive domains. This is purpose-aligned and it includes disclaimers, but users may over-trust static recommendations.
Risk labels | Assigns low, medium, high, or pending risk labels ... High | May affect legal rights, financial safety, or health decisions
Treat its recommendations as a starting point, read each recommended skill's own review, and consult qualified professionals for high-risk domains.