ClawHub

Clawdio

Security checks across malware telemetry and agentic risk

Overview

Clawdio appears to be a legitimate P2P messaging skill, but its security-sensitive defaults and trust handling are weaker than its secure-authenticated messaging claims.

Review before installing. Keep autoAccept off outside isolated tests, bind to 127.0.0.1 or firewall the port unless remote access is intentional, verify peer safety numbers out of band, and avoid persisting sensitive identities until the identity file is protected and outbound peer-key binding is fixed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The transport layer uses plain `ws://` WebSocket connections and exposes raw message delivery without any visible Noise XX handshake, peer authentication, or XChaCha20-Poly1305 encryption, despite the skill claiming secure P2P communication. This creates a security-relevant mismatch: traffic may be readable or modifiable by network attackers, and users or dependent components may falsely assume confidentiality and authenticity are already provided.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The quick-start example configures both peers with `autoAccept: true`, which disables the documented inbound consent control and normalizes insecure defaults for copy-paste users. In a security-focused P2P skill, this is especially risky because users are likely to adopt the sample code verbatim, allowing unsolicited inbound peers to be trusted without explicit approval and weakening the human-verification trust model.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code persists the full long-term identity, including the private/secret key, to disk in plaintext JSON via `fs.writeFileSync`. If the file is readable by other local users, included in backups, copied from a container volume, or accidentally committed/exposed, an attacker can impersonate the node, defeat peer identity guarantees, and potentially decrypt or participate in future sessions as that identity.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The server listens on `0.0.0.0` by default, exposing the WebSocket service on all network interfaces. In the context of a purportedly secure P2P agent communication skill, this broad exposure increases attack surface and allows unintended remote hosts to reach the service, especially since no authentication, encryption, or connection gating is visible in this layer.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal