Clawder

Security checks across malware telemetry and agentic risk

Overview

Clawder is a disclosed coding-agent skill, but it gives the agent broad editing, deletion, sub-agent, and persistent memory powers without enough user-control safeguards.

Install only if you want a highly autonomous coding agent. Use plan or approval mode, avoid bypass/yolo modes, disable or closely review automatic memory extraction, inspect gotchas.md and auto-memory files before committing, and require confirmation for deletions, pushes, dependency changes, and multi-file refactors.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (12)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The rule explicitly tells the agent to write to gotchas.md as part of normal operation, creating an undisclosed side effect in the repository. Even if intended for quality tracking, autonomous file writes without user awareness can leak task context, modify project state unexpectedly, and be abused to persist instructions or data across runs.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: Instructions to 'just fix it' and delete dead code encourage autonomous, potentially destructive repository changes without a confirmation boundary. In a coding agent context, this increases the chance of unintended deletions, unsafe refactors, or changes outside the user's requested scope, especially when paired with broad authority to improve architecture.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly logs free-form correction context into gotchas.md and presents this as automatic behavior, but it does not warn users that prompts, corrections, or sensitive project details may be written to disk. In an agent skill, this creates a real privacy and data-governance risk because users may unknowingly persist secrets, internal code context, or incident details in plaintext.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill describes scanning transcripts for memory extraction and attaching gotchas.md content into spawned sessions, but gives no warning that prior conversation or project data may be reused or shared with additional agent contexts. That makes cross-session disclosure plausible, especially if stored notes contain sensitive user corrections, code snippets, or operational details.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The manifest exposes broad spawn/config examples and enables autonomous coding behaviors such as sub-agent swarming, bug fixing, and required verification without stating concrete trigger boundaries, approval requirements, or task scoping limits. In a coding-agent context, this can encourage users or orchestrators to invoke a high-autonomy agent on underspecified prompts, increasing the risk of unintended code changes, overreach across repositories, or unsafe delegation to parallel worktrees.

Natural-Language Policy Violations

Low

Confidence: 69% confidence
Finding: The description says the agent follows a fixed internal directive set 'the same instructions Anthropic uses internally for production outputs,' which signals a non-optional behavior regime not clearly chosen by the user. While not directly exploitable on its own, this can mislead users about control and consent, and may cause hidden prioritization of internal-style directives over local policy, user preferences, or locale-specific expectations.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill explicitly describes persistent memory types including private user and feedback data, plus automatic extraction after each turn, without any visible consent, notice, retention limits, or opt-out. In an agent skill, this creates a real privacy and data-governance risk because user-provided sensitive information may be stored across sessions and reused beyond the immediate task.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The module persists conversation-derived content to disk as durable memory files without any visible consent, notice, or gating mechanism. Because the extracted data can include user preferences, project details, and other potentially sensitive transcript content, silent persistence creates a privacy and data-handling risk, especially if users do not expect conversations to be retained beyond the session.

Ssd 3

Medium

Confidence: 97% confidence
Finding: The mistake logging routine stores correction as free-form context and appends it directly to gotchas.md. Because corrections can contain secrets, internal URLs, credentials, customer data, or proprietary code fragments, this persistence can leak sensitive material to disk and to anyone or anything that later reads that file.

Ssd 3

Medium

Confidence: 94% confidence
Finding: The loadGotchas behavior re-injects previously logged content into future model context at session start. This can propagate sensitive user-provided material into unrelated tasks and increases the blast radius of any secret or confidential text previously recorded.

Ssd 3

Medium

Confidence: 98% confidence
Finding: Attaching raw gotchas.md history to spawned sessions can disclose prior session content to additional agent contexts, including parallel agents or different execution environments. This is more dangerous than local persistence alone because it actively broadens exposure of historical sensitive data beyond the original interaction.

Ssd 3

Medium

Confidence: 96% confidence
Finding: The skill instructs automatic memory extraction and cross-session storage of user, feedback, project, and reference data, including explicitly 'private' user information. This is dangerous because it normalizes retention of potentially sensitive user content beyond task completion, increasing exposure through later recall, unintended sharing, or compromise of the memory store.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal