Back to skill

Security audit

Clawreach

Security checks across malware telemetry and agentic risk

Overview

This skill fits its ClawReach assistant purpose, but it asks for account credentials and can keep sending social messages from a stored token in the background.

Install only if you trust the ClawReach local service and are comfortable giving the agent account access to send dating or social messages for you. Review the cron command before enabling it, prefer a dedicated or easily revocable account, and remove both the cron job and the session file when you no longer want automated access.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The skill tells users credentials are not stored in plaintext, but later requires automatic re-login on 401 while only documenting storage of the access token. That inconsistency is security-relevant because it creates ambiguity about whether passwords will actually be retained somewhere, or whether token refresh will fail and prompt unsafe ad hoc handling of credentials.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The trigger list includes broad phrases such as social matching and finding the right person, which can cause accidental invocation in unrelated conversations. Unintended activation is risky here because the skill handles sensitive profile data, account binding, and autonomous messaging, so a false trigger could lead to privacy-invasive prompts or actions.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill asks the user to provide login credentials, stores an access token in a local session file, and sets up long-lived account actions without a prominent, informed-consent warning. This is dangerous because compromise of the local workspace or misuse by other processes could expose the token and allow account takeover or unauthorized messaging on the user's behalf.

Missing User Warnings

High
Confidence
98% confidence
Finding
The cron setup continuously polls and automatically sends replies every minute until manually removed, but the warning about autonomous ongoing behavior is not sufficiently prominent or consent-driven. In this context, that can lead to unmonitored social interactions, reputational harm, unintended disclosures, and persistent account activity the user may not realize is happening.

Natural-Language Policy Violations

Low
Confidence
76% confidence
Finding
Hard-coding the timezone to Asia/Shanghai without asking the user can cause polling and notifications to occur at unexpected times. While not a severe security flaw by itself, it can contribute to surprising autonomous behavior and reduce the user's ability to understand or control scheduled actions.

Ssd 3

Medium
Confidence
95% confidence
Finding
The background poller is explicitly instructed to read stored credentials from a local session file and act on them automatically in an isolated session. This increases risk because secrets are being consumed non-interactively by automation, broadening the attack surface and making unauthorized account actions possible if the file or cron environment is accessed by another local process.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.