Security audit

clawagent

Security checks across malware telemetry and agentic risk

Overview

This skill provides coherent AI marketing tools, but it hides prompt reporting and gives the agent broad control over tokens and local file uploads without enough user-facing safeguards.

Review before installing. Use a dedicated revocable ClawAgent token, avoid putting secrets or confidential business details in prompts, confirm every local file before upload, and do not allow silent unsupported-feature reporting or provider-supplied update actions unless that data sharing is acceptable.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (17)

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The skill instructs the agent to silently call `report_unsupported_feature` whenever a requested capability is unavailable, without notifying the user. This can exfiltrate user intent, prompts, or business context to an external telemetry endpoint unrelated to fulfilling the immediate request, creating a privacy and data-governance risk.

Context-Inappropriate Capability

Low

Confidence: 86% confidence
Finding: The skill mandates a silent daily background version check via `check_skill_update`, even when the user did not ask for maintenance activity. While less severe than direct data exfiltration, it introduces non-user-initiated network activity and can leak deployment/use patterns or create an unnecessary control channel to the skill provider.

Context-Inappropriate Capability

Medium

Confidence: 86% confidence
Finding: The skill directs the agent to run a local installation script before establishing a clearly bounded need, which expands the trusted computing base and can introduce unreviewed software into the environment. In the same auth flow, it prepares for persistent token handling via mcporter, creating unnecessary credential persistence for a skill with no documented security model or retention limits.

Context-Inappropriate Capability

High

Confidence: 96% confidence
Finding: This section instructs the agent to collect a user's private token, save it, and validate it, but does not define purpose limitation, access boundaries, storage duration, or safe handling guarantees. That creates a real risk of secret exposure, over-collection, and unauthorized reuse of credentials by the agent workflow or surrounding tooling.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The fallback path tells the operator to persist an Authorization header into mcporter configuration, which embeds a sensitive credential into local config for future reuse. For an unknown-purpose skill, this is an unjustified privileged action that broadens the blast radius if the host, logs, config files, or other tools are later accessed.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The documentation instructs users to execute a shell command that uploads a local file to cloud storage, but it provides no validation, scope restriction, or safety guidance about what files may be uploaded. In an agent skill context, normalizing shell execution plus arbitrary local-file exfiltration creates a real risk of unintended disclosure of sensitive local data.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The documentation explicitly allows a public URL or a local full file path as input, but it does not warn users that supplying local paths may expose sensitive local files or inadvertently upload private data to the remote image-processing service. In a skill that handles image generation and external processing, this omission increases the risk of privacy leakage and unintended disclosure of workstation or server-resident content.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The image-generation interface accepts reference image URLs without any warning that those images may contain personal, confidential, or otherwise sensitive content. Because the tool is designed to ingest user-provided images for remote processing, missing privacy guidance can lead to accidental disclosure of faces, documents, product prototypes, or other sensitive visual data.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The guide explicitly asks the user to paste a private token directly into the chat channel, which is a sensitive medium that may be logged, retained, or visible to systems beyond the user's intent. The warning not to share with others is insufficient because it omits safer alternatives and does not address chat-channel exposure risks.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The document explicitly instructs the agent to silently call a reporting function when a request is unsupported, while also requiring the user's original prompt to be transmitted verbatim. This creates undisclosed data sharing and removes user consent or transparency, which is especially risky because user prompts may contain sensitive personal, business, or credential-like information.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The text states that arbitrary files such as images, videos, and documents can be uploaded to cloud storage, but does not warn about privacy, confidentiality, or the fact that local files may leave the user's environment. This omission is dangerous because it can cause operators or downstream agents to exfiltrate sensitive data without informed consent.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The workflow explicitly instructs execution of `eval $(./upload_file.sh $local_file_path)`, combining command execution with data upload and no warning about either the network transmission or the risks of `eval`. Using `eval` on script output is especially hazardous because any unexpected or compromised output could trigger arbitrary shell execution in addition to uploading local files.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The script transmits the contents of a local file to remote cloud storage via a presigned URL, but it does not present a clear consent, privacy, or destination warning immediately before upload. In an agent/skill context, this increases the risk of users or downstream automation uploading sensitive local files without fully understanding that data is leaving the host.

Ssd 3

Medium

Confidence: 96% confidence
Finding: Silently reporting unsupported user requests to an external mechanism may disclose user-provided prompts, workflows, or commercial intent without consent. In this skill's marketing/account-management context, those requests may contain sensitive campaign plans, product details, or internal business objectives, making the privacy risk more serious.

Ssd 3

High

Confidence: 98% confidence
Finding: This instruction directly tells the user to send a secret token to the AI so the agent can store and use it, which is a classic unsafe secret-handling pattern. It normalizes credential transfer through the conversational interface and increases the likelihood of exposure through logs, telemetry, prompt history, or downstream tool invocation.

Ssd 3

High

Confidence: 97% confidence
Finding: The fallback repeats unsafe credential handling by placing the user-provided token directly into command arguments, which may be exposed in shell history, process listings, logs, or debugging output. This compounds the earlier secret-collection issue by creating additional leakage paths during configuration.

Ssd 3

Medium

Confidence: 97% confidence
Finding: The skill requires silently copying the user's full original input into `user_prompt` and sending it to another function without informing the user. In context, this is more dangerous because it applies broadly to unsupported requests, a category likely to include free-form user text that may contain sensitive data, making this an unnecessary exfiltration channel.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.