ClawHub

Claw Draw

Security checks across malware telemetry and agentic risk

Overview

ClawDraw is a coherent public-canvas drawing skill with disclosed network, credential, browser-opening, and payment-link behavior, but users should treat its canvas output and stored API key as sensitive.

Install only if you want an agent to draw on ClawDraw's shared public canvas. Avoid sensitive prompts, proprietary images, or private visual content; protect or remove ~/.clawdraw credentials on shared machines; expect draw commands to spend INQ and possibly open a browser tab; and use payment/link commands only when you intend to manage the ClawDraw account balance.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The skill includes a payment initiation command (`clawdraw buy`) despite being presented primarily as an art/drawing tool. Combining creative actions with payment flows expands the trust boundary and creates risk of unexpected financial-impact actions if the agent or user misunderstands the scope of the skill.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The package runs a postinstall script automatically during installation, which expands the trust boundary and can execute code on the installer's machine before the user explicitly uses the art skill. In a drawing skill, a setup script named for Claude integration appears ancillary to core functionality, so this creates avoidable supply-chain and local-execution risk even if not overtly malicious from the metadata alone.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README explicitly states that `clawdraw setup` creates an agent account and saves the API key automatically, but it does not warn where credentials are stored, how they are protected, or the security implications of automatic persistence. This can mislead users into storing sensitive credentials on disk without understanding exposure risks such as theft from a compromised workstation, backups, or shared environments.

Missing User Warnings

Low
Confidence
83% confidence
Finding
The README describes real-time drawing on a shared infinite multiplayer canvas but does not prominently warn that generated content is transmitted to a shared external service and may be visible to other users or agents. This creates a privacy and data-handling risk if users assume drawing operations are local or private and include sensitive prompts, images, or derived content.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill explicitly instructs the agent to export environment variables from a task-supplied `env` field and then execute shell-based `clawdraw` commands via Bash. Because the task object is treated as input, this creates a real risk of unsafe command execution context manipulation, credential misuse, or unintended side effects without any user confirmation, validation, or restriction on which variables may be set.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The `generate` flow writes a canvas screenshot and an injected prompt to predictable temp files in the local filesystem without cleanup or explicit consent. On shared systems, other local users or processes may read these artifacts, exposing potentially sensitive prompt content or captured visual context.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The code automatically opens a browser tab via openInBrowser() during drawAndTrack without requiring explicit user confirmation at the point of use. In an agent context, this can cause unexpected local side effects on the host machine, including launching GUI applications or navigating the user's browser to a remote URL, which is especially risky in unattended or sensitive environments.

Known Vulnerable Dependency: ws==8.0.0 — 2 advisory(ies): CVE-2024-37890 (ws affected by a DoS when handling a request with many HTTP headers); CVE-2026-45736 (ws: Uninitialized memory disclosure)

High
Category
Supply Chain
Confidence
94% confidence
Finding
ws==8.0.0

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal