KimiClaw

Security checks across malware telemetry and agentic risk

Overview

The skill appears to use API credentials for its stated integration purpose, but users should handle those secrets carefully because the guidance does not clearly explain safe storage practices.

Install only if you are comfortable supplying the needed API credentials. Use least-privileged, revocable keys; prefer a secret manager or an untracked local environment file; do not commit keys to source control; avoid printing them in logs; and rotate them if they may have been exposed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill repeatedly instructs users to place API keys directly into config files, shell environment variables, HTTP headers, and spawned-agent environment dictionaries, but provides no guidance on secret storage, redaction, or avoiding committed plaintext credentials. This creates a realistic risk of credential leakage through source control, shell history, logs, process inspection, crash dumps, or inherited child-process environments.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal