Vibe Clawing

Security checks across malware telemetry and agentic risk

Overview

This is a benign coaching skill, but users should know it stores local progress notes and encourages delegating more work to agents.

Install only if you are comfortable with a local ~/vibe-clawing workspace for progress notes. Avoid putting secrets, sensitive business details, or private client information in those notes, and keep explicit approval for financial, legal, account, deletion, deployment, public-posting, or other hard-to-reverse actions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Low

Confidence: 95% confidence
Finding: The skill directs the agent to create and maintain a persistent user profile file in the user's home directory without any notice, consent flow, retention guidance, or data minimization limits. Even though the requested content is not highly sensitive by default, silent persistence can accumulate behavioral preferences and workflow metadata over time, creating privacy and transparency risks.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The guidance explicitly recommends reducing per-task human approval and letting agents run workflows end-to-end, while providing only high-level guardrails. In a skill about delegating responsibility to agents, this can normalize insufficient oversight for actions that may affect user data, external systems, or irreversible operations, increasing the chance of unsafe autonomous behavior.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal