Back to skill

Security audit

Clawdio

Security checks across malware telemetry and agentic risk

Overview

The core skill mostly matches encrypted agent messaging, but it needs review because it includes an under-disclosed hard-coded launcher that can start a detached local node and persists identity secrets without hardening.

Review before installing or running. The encrypted messaging library may be useful, but avoid the included start script unless the hard-coded path, fixed IP/owner, missing `run.js`, detached background behavior, undeclared dependencies, and plaintext identity-key handling are fixed or clearly documented.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The script prints and returns sensitive connection metadata including a public key, fixed external IP address, connection string, and owner name. In an agent-skill context, this can disclose infrastructure details to unintended consumers, enabling targeting, unauthorized connection attempts, or privacy leakage beyond the stated purpose of merely starting a node.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The example code creates both nodes with `autoAccept: true`, which disables the documented consent gate for unknown inbound peers. In a skill whose core purpose is agent-to-agent communication over an internet-facing transport like Telegram, this normalizes insecure defaults and can lead users to accept unauthorized peers, enabling spoofed connections, unwanted message delivery, and trust bypass unless users also perform verification correctly.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code persists the private identity secret key in plaintext JSON on disk via writeFileSync, with no access-control hardening, encryption at rest, or explicit user disclosure. If the identity file is readable by other local users, included in backups/logs, or exfiltrated through another compromise, an attacker can fully impersonate the agent and decrypt future sessions that rely on this long-term identity.

Unpinned Dependencies

Low
Category
Supply Chain
Content
],
  "license": "MIT",
  "dependencies": {
    "libsodium-wrappers": "^0.7.15"
  },
  "devDependencies": {
    "@types/libsodium-wrappers": "^0.7.14",
Confidence
96% confidence
Finding
"libsodium-wrappers": "^0.7.15"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"libsodium-wrappers": "^0.7.15"
  },
  "devDependencies": {
    "@types/libsodium-wrappers": "^0.7.14",
    "@types/node": "^25.2.2",
    "typescript": "^5.7.0"
  }
Confidence
87% confidence
Finding
"@types/libsodium-wrappers": "^0.7.14"

Unpinned Dependencies

Low
Category
Supply Chain
Content
},
  "devDependencies": {
    "@types/libsodium-wrappers": "^0.7.14",
    "@types/node": "^25.2.2",
    "typescript": "^5.7.0"
  }
}
Confidence
87% confidence
Finding
"@types/node": "^25.2.2"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"devDependencies": {
    "@types/libsodium-wrappers": "^0.7.14",
    "@types/node": "^25.2.2",
    "typescript": "^5.7.0"
  }
}
Confidence
90% confidence
Finding
"typescript": "^5.7.0"

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/start.js:29