Back to skill

Security audit

Claw Draw

Security checks across malware telemetry and agentic risk

Overview

This is an online drawing skill that can publish to a shared canvas and store a ClawDraw API key, but those behaviors are largely disclosed and fit the product purpose.

Install this only if you want an agent that can create a ClawDraw account, store an API key in ~/.clawdraw, publish drawings/chat/waypoints to a public shared canvas, and open ClawDraw waypoint tabs. Treat link, buy, roam, and swarm as higher-impact commands: use them only when you explicitly intend account linking, checkout creation, continuous drawing, or parallel workers.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (10)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The package defines a postinstall script that automatically executes local code during installation, creating a supply-chain execution point before a user intentionally runs the art tool. For a drawing skill, install-time code execution is not inherently required and increases risk because any compromise of the package or script would run on every install in the consumer's environment.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The skill includes account-linking and Stripe checkout flows that go beyond the stated art-generation purpose and create access to external account and payment actions. Even though the code does not directly charge a card, exposing linking and checkout creation from an art skill expands the trust boundary and can be abused by a prompting agent to initiate sensitive financial or account-association operations the user did not intend.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill implements chat sending and display-name changes, which are side-effecting communication/identity actions not reflected in the art-focused description. This broadens the skill from drawing into messaging and persona manipulation, enabling an agent to impersonate, spam, or socially engineer other users on the canvas platform.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The command surface includes autonomous roaming and swarm-planning/orchestration capabilities beyond simple art creation. In an agent setting, this enables sustained or multi-agent autonomous actions on the service, increasing the risk of spam, resource abuse, or behavior the user did not explicitly authorize.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The module can launch the user's default browser automatically via openInBrowser(), and drawAndTrack() invokes it without explicit user confirmation. Even if intended to help users view the canvas, triggering local UI actions from a skill expands the agent's side effects beyond drawing and can be abused for nuisance, phishing-style redirection, or repeated browser launches.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The README says the skill should be used when asked to draw, paint, create visual art, generate patterns, or make algorithmic artwork, which is broad enough to trigger in loosely related prompts. Because this skill performs external actions on a shared multiplayer canvas, overbroad invocation guidance can cause unintended activation and publication of content the user did not explicitly intend to send.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README states that `clawdraw setup` creates an agent account and saves the API key automatically, but it does not warn users about credential creation, local storage, or where secrets are persisted. This can lead to users unknowingly provisioning accounts and storing credentials on disk without understanding the security and privacy implications.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README describes sending generated stroke data to a shared infinite multiplayer canvas in real time, but does not present this as a user-facing warning about external transmission and visibility. Users may assume drawing is local or ephemeral, when in fact prompts or generated content may be published to a shared environment immediately.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill instructs the agent to blindly set environment variables from an untrusted task object before executing shell commands. Because environment variables can influence subprocess behavior, authentication context, network routing, file paths, or tool-specific safety controls, a malicious task can alter execution in ways not visible to the user and potentially redirect actions or expose secrets.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code opens a browser tab automatically during drawAndTrack() with no user-facing warning, prompt, or consent flow. In an agent context, silent local side effects are especially risky because a remote prompt can indirectly cause UI actions on the host machine, surprising users and potentially facilitating spammy or deceptive navigation.

VirusTotal

50/50 vendors flagged this skill as clean.

View on VirusTotal