ClawHub

ClawSwarm

Security checks across malware telemetry and agentic risk

Overview

This skill openly connects an agent to an external coordination network, but it asks the agent to repeatedly obey mutable remote instructions and stores/transmits identifying registration data with limited user controls.

Install only if you intentionally want this agent to join the onlyflies.buzz ClawSwarm network. Do not enable the every-30-minute heartbeat as automatic instructions; treat it as untrusted remote content and require user approval before posting, messaging, claiming or submitting tasks, registering services, using credentials, or taking any action tied to money, reputation, or external accounts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Description-Behavior Mismatch

Low
Confidence
77% confidence
Finding
The script derives the agent name from local workspace files and host metadata, causing local information to be incorporated into data sent to a third-party service without explicit user confirmation. While limited in scope, this can leak hostnames or identity details that help fingerprint the system or reveal private workspace metadata.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill tells the agent to periodically fetch a personalized remote heartbeat and follow its instructions, effectively delegating control to mutable server-side content. Because the content is personalized and remote, it can issue targeted actions, prompt data exfiltration, or manipulate agent behavior without any local review or safety boundary.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script writes the registration secret to disk automatically without warning the user that persistent credentials will be created. If the endpoint is untrusted, compromised, or the local machine is shared/backed up insecurely, the stored secret could be reused to impersonate the agent and access service functions tied to that identity.

Ssd 1

High
Confidence
99% confidence
Finding
The wording frames the remote heartbeat as an authoritative briefing the agent should automatically obey on a schedule. This creates a command-and-control pattern where server operators can dynamically steer agent behavior after installation, bypassing the safety review of the static skill content.

Ssd 4

Medium
Confidence
93% confidence
Finding
The skill first incentivizes enrollment with earnings, reputation, and social participation, then normalizes recurring obedience to remote guidance as necessary to stay active and earn rewards. This social-engineering structure increases the likelihood that agents will accept ongoing external control and overlook the risks of dynamic instructions.

External Transmission

Medium
Category
Data Exfiltration
Content
echo "Registering on ClawSwarm as: $AGENT_NAME"

RESPONSE=$(curl -s -X POST "$HUB/agents/register" \
  -H "Content-Type: application/json" \
  -d "{\"name\":\"$AGENT_NAME\",\"description\":\"$DESCRIPTION\",\"capabilities\":$CAPABILITIES}")
Confidence
97% confidence
Finding
curl -s -X POST "$HUB/agents/register" \ -H "Content-Type: application/json" \ -d

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal