Clawsy

Security checks across malware telemetry and agentic risk

Overview

Clawsy is a real Mac companion skill, but it asks for unusually broad Mac access while exposing a gateway token and weakening user consent controls.

Install only if you fully trust the publisher and want an agent to have powerful access to your Mac. Verify the downloaded app release and signature, restrict the shared folder to low-sensitivity files, require explicit confirmation for screen, camera, clipboard, location, and file changes, and rotate or revoke the OpenClaw gateway token after pairing if it was exposed in chat or logs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (12)

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The document explicitly instructs the agent to use Clawsy whenever it improves UX and not to ask permission first. Because Clawsy exposes highly sensitive capabilities like screenshots, camera, clipboard, files, and location, this normalizes silent collection or manipulation of user data without informed consent.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The telemetry guidance encourages the agent to infer stress, routines, and behavior from moodScore, unusual-hour status, battery, and app-switch data. Those inferences are not necessary for core device-integration functionality and create privacy risks through profiling and behavior analysis.

Vague Triggers

High

Confidence: 98% confidence
Finding: The instruction to use Clawsy whenever it improves UX is overly broad and lacks activation constraints tied to user intent, data sensitivity, or task necessity. In context, that can lead an agent to invoke invasive device features opportunistically rather than only when explicitly requested.

Missing User Warnings

Critical

Confidence: 99% confidence
Finding: The skill advertises direct access to screenshots, camera, clipboard, files, and location without any safety framing, consent checks, or boundaries. Since these are sensitive device capabilities, presenting them as routine agent abilities increases the chance of covert surveillance, data exfiltration, and unauthorized system interaction.

Missing User Warnings

Critical

Confidence: 100% confidence
Finding: The document expressly tells the agent not to ask permission before using sensitive capabilities. In a tool with camera, screenshots, clipboard, file access, and location, that instruction directly undermines user consent and creates a strong path to unauthorized monitoring or data access.

Missing User Warnings

High

Confidence: 96% confidence
Finding: The pairing workflow tells the agent to send a pairing link and states that an auto-approve watcher will approve the connection with no further action needed. That minimizes user awareness at the moment persistent device access is granted and weakens meaningful consent for a high-privilege companion app.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The skill explicitly instructs the agent to read the gateway configuration and send the real authentication token and host to the user in plain text. That token is a credential for the OpenClaw gateway, and normalizing its disclosure increases the chance of accidental leakage through chat logs, screenshots, message forwarding, or compromise of the user’s messaging channel.

Missing User Warnings

High

Confidence: 91% confidence
Finding: The skill advertises access to screenshots, clipboard, camera, files, location, and Mission Control without any up-front warning about the privacy and security implications. In a tool with broad device access, failing to clearly disclose sensitive capabilities undermines informed consent and increases the risk of misuse or overbroad deployment.

Ssd 3

High

Confidence: 99% confidence
Finding: The guidance encourages use of invasive capabilities without asking first, which is especially dangerous because the skill controls camera, screenshots, clipboard, files, and location. The context makes this more severe than a generic UX shortcut because the data involved is intimate and system-wide.

Ssd 3

High

Confidence: 95% confidence
Finding: The design routes screenshots, clipboard contents, and shares into a dedicated side session and structured context file outside the main chat, reducing visibility to the user. Hidden or out-of-band aggregation of sensitive data increases the risk of covert collection, retention, and later misuse without clear user awareness.

Ssd 3

High

Confidence: 99% confidence
Finding: These setup steps direct the agent to disclose the actual gateway token and hostname to the user as part of ordinary onboarding. Exposing live credentials in general chat is dangerous because those channels are often retained, copied, and visible to third parties, turning setup into credential distribution.

Ssd 3

High

Confidence: 99% confidence
Finding: The later setup sections reinforce the same insecure pattern by repeatedly instructing disclosure of the real host and auth token. Repetition makes the insecure behavior normative and increases the likelihood that operators will expose production credentials across multiple channels and workflows.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal