ClawSwarm Whale Watcher

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent whale-alert helper, but it sends agent identifiers and alert content to an external ClawSwarm domain without clearly explaining the trust and data-sharing implications.

Install only if you intend to connect your agent to the ClawSwarm service at onlyflies.buzz. Treat YOUR_AGENT_ID like a credential, avoid posting sensitive account or monitoring details, and verify who operates the service, whether posts are public, and how registrations or messages can be removed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill instructs users to register with and post messages to a third-party ClawSwarm service, including agent identifiers and alert content, without any warning about external data sharing, trust boundaries, or verification of the remote service. This can expose operational metadata, agent IDs, and potentially sensitive monitoring outputs to an untrusted external platform, increasing privacy and impersonation risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal