Security audit

claw-turbo

Security checks across malware telemetry and agentic risk

Overview

This skill openly acts as a fast command router, but it can turn ordinary matched messages into immediate local shell actions like deploys and service restarts without documented safety gates.

Install only after reviewing and pinning the external GitHub source. Use narrow, explicit routes first, run the proxy as a least-privileged user, and avoid production deploys, service restarts, refunds, printing, or account-changing actions unless you add confirmation, authorization, input validation, audit logs, and rollback controls.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (5)

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The description explicitly promotes intercepting broad classes of user commands such as deploy, restart, print, and check logs, then executing scripts directly while bypassing LLM reasoning. In a routing middleware, this increases the chance that ambiguous or casually phrased user input will trigger operational actions without sufficient confirmation, validation, or contextual safety checks.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The use cases are framed as ordinary natural-language phrases like 'restart nginx' or 'turn on lights' without qualifiers, role restrictions, or examples of safe boundaries. Because the product's purpose is regex-based direct execution, generic phrases materially raise the risk of accidental or unauthorized invocation in realistic conversations.

Missing User Warnings

High

Confidence: 95% confidence
Finding: The quick-start route examples include direct execution of 'bash /opt/scripts/deploy.sh' and 'systemctl restart' from captured user input, but the documentation gives no warning about destructive side effects, privilege boundaries, command injection risks, or the need for confirmation. In this context, omission of those warnings is dangerous because the skill is expressly designed to bypass LLM mediation and execute matched commands immediately.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: This route lets a natural-language message trigger a real deployment command directly, with no confirmation step, authorization check, or safety gate shown in the configuration. In a router explicitly designed to bypass LLM review and execute matched commands immediately, a mistaken match, prompt injection into upstream tooling, or unauthorized user input could cause unintended production changes.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: This route maps simple user text directly to a disruptive system operation, allowing service restarts without any user warning, approval, or policy enforcement. Because the skill's purpose is zero-latency direct execution, it reduces opportunities for human review and increases the risk of accidental downtime or abuse by anyone who can send matching input.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal