ClawHub

clawder-agent

Security checks across malware telemetry and agentic risk

Overview

Clawder is a coherent coding-agent skill, but it asks for broad autonomous repository-changing power and persistent memory reuse without enough user control or privacy safeguards.

Install only if you are comfortable with an autonomous coding agent that may modify or delete repository files, spawn background agents, and persist task context across sessions. Before using it on sensitive repositories, disable or closely review memory and gotchas logging, require explicit approval for deletions and broad refactors, avoid unrestricted modes, and inspect generated memory files before committing or sharing the repo.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (21)

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The skill claims verification is mandatory before reporting completion, but the sample implementation only runs checks when specific config files exist. In projects without tsconfig, eslint config, or package.json, Promise.all(checks) can succeed with an empty list, allowing the agent to claim verified completion without actually performing any validation.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The directive 'Autonomous Bug Fixing: Just fix it, no hand-holding' encourages the agent to take unilateral action without requiring explicit scope checks, approval boundaries, or safety constraints. In an agent skill, this can lead to unintended code changes, risky refactors, or modification of unrelated files when the agent encounters ambiguous problems.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs automatic logging of corrections to gotchas.md and later loading that content into future sessions, but it does not mention consent, data minimization, or redaction. Free-form corrections can easily contain secrets, proprietary code fragments, incident details, or personal data, creating unintended persistent storage and later disclosure risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The memory extraction and session integration sections describe scanning transcripts for content and injecting stored memories/gotchas into prompts without a clear privacy boundary. This can propagate sensitive data from one interaction into another context or session, especially when prompts and attachments are shared with spawned agents.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly instructs the agent to delete dead code and write intermediate results without any user-facing notice that repository contents may be modified. In an autonomous coding agent, this can lead to unexpected destructive changes or persistence of artifacts beyond the user's intent, especially if the agent acts broadly on ambiguous prompts.

Missing User Warnings

Low
Confidence
95% confidence
Finding
The instruction to log mistakes to gotchas.md directs the agent to create or update a persistent file without informing the user. This creates an undisclosed side effect and may store sensitive task details, internal reasoning summaries, or user-derived information in the repository.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The memory system requires extracting memories after each turn and storing them across MEMORY.md, auto-memory, and CLAUDE.md, but does not warn users about persistent retention of conversation-derived information. This increases the risk of unintentionally retaining sensitive prompts, code details, secrets, or private project context in durable files.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill describes automatic logging of corrections into gotchas.md without warning that user-provided content may be persisted into project files. This can capture sensitive prompts, proprietary code details, or operational guidance and store them in a durable artifact that may later be committed, shared, or reused unintentionally.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The description is highly promotional and frames the agent as a production-grade coding authority without clearly defining safe operating boundaries, intended use cases, or situations where it should not be invoked. In a coding agent context, this can cause over-trust and inappropriate use on sensitive repositories or destructive tasks, increasing the chance that users delegate risky actions without understanding scope or limits.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The manifest explicitly endorses autonomous code deletion, writing intermediate results, and file-system-driven state management, but provides no visible warning, consent flow, or safeguard description for destructive or privacy-impacting actions. Because this is a coding agent with worktree/sub-agent behavior and autonomous bug fixing, the context makes the issue more dangerous: users may trigger broad repository changes, accidental data loss, or leakage of sensitive content into generated artifacts without realizing the operational impact.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly defines persistent memory categories including private user data and states that memory extraction runs automatically after each complete turn, writing to local files for later recall. Without a prominent warning, consent flow, retention limits, or guidance on sensitive data handling, users may unknowingly cause personal or team-confidential information to be stored across sessions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This section instructs the agent to use the file system as working state, write intermediate results to files, and use files for cross-session memory, but does not clearly warn users that the skill may autonomously create or modify local files. In a coding-agent context, silent file writes can expose sensitive content, pollute repositories, or create durable records of prompts, outputs, or secrets.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This code persists conversation-derived memories to disk by writing markdown files containing descriptions, timestamps, scope, and free-form content, but there is no consent, notice, or gating mechanism before storage. Because the source data comes from transcripts, it may include sensitive personal, project, or confidential information that users would not expect to be retained beyond the session.

Vague Triggers

Low
Confidence
87% confidence
Finding
The manifest description advertises sweeping autonomous capabilities such as forced verification, sub-agent swarming, mistake logging, and autonomous bug fixing without stating scope limits, approval requirements, or activation constraints. In an agent skill, this kind of broad capability framing can enable over-privileged or unexpected behavior because operators and downstream tooling cannot easily infer when these actions should or should not occur.

Ssd 3

Medium
Confidence
97% confidence
Finding
The logMistake example persists mistake.context directly from a correction into gotchas.md. Because correction text is free-form, it may include secrets, credentials, internal paths, customer data, or proprietary snippets that are then stored on disk and resurfaced later.

Ssd 3

Medium
Confidence
96% confidence
Finding
The loadGotchas function reads accumulated gotchas.md and injects its full contents into later session prompts. This creates cross-session data leakage where information from prior tasks may influence or be exposed during unrelated future work.

Ssd 3

Medium
Confidence
98% confidence
Finding
Attaching the full gotchas.md file to spawned sessions propagates all previously stored context to additional agents or runtimes. This broadens access to potentially sensitive historical content and increases the chance of unintended disclosure, especially in parallel or remote execution modes.

Ssd 3

Medium
Confidence
96% confidence
Finding
Persistent gotchas logging creates a durable data-retention channel for user corrections and session-derived content, and the same file is later reloaded into future prompts. This can leak sensitive information across tasks, amplify prompt injection persistence, and cause prior user inputs to influence unrelated future sessions.

Ssd 3

Medium
Confidence
95% confidence
Finding
The memory extraction logic scans transcripts for keywords and converts matched content into reusable memories. That creates an automatic retention pipeline from conversational content into future prompt context, which can preserve sensitive data or adversarial instructions beyond the original session.

Ssd 3

Medium
Confidence
95% confidence
Finding
Attaching the full gotchas history to spawned sessions exposes accumulated prior-session content to each new run. This broadens the blast radius of any sensitive or malicious content stored in gotchas.md and can leak unrelated project or user information into new agent contexts.

Ssd 3

Medium
Confidence
97% confidence
Finding
The memory system directs retention of user preferences, feedback, project details, and reference information across sessions, including private and team-scoped data. Persisting such data by default increases the risk of unintended disclosure, secondary use, and long-lived storage of sensitive information beyond the user's expectations.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal