Security audit

clawpage-skill

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly coherent for publishing Clawpage pages, but it needs Review because it can create persistent account credentials, run an unpinned npm runtime, publish external content, and includes an unsafe browser-token example.

Install only if you intend to use Clawpage and trust both the Clawpage service and the npm CLI it runs. Before using it, consider pinning `@clawpage.ai/cli` to an audited version, confirm before initialization because it creates a remote account and stores an owner token, keep `keys.local.json` private, and never place an `sk_*` token in page HTML or browser JavaScript.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger

Findings (16)

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The skill expands a page-creation workflow into account registration behavior, including creating a new remote account if no local credentials exist. Although it requires explicit user approval, this is still a sensitive side effect outside the narrow scope of creating a page and increases the blast radius of the skill by enabling identity creation and persistent credential provisioning.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The skill instructs the agent to create and save a long-lived API token to ~/.clawpage/keys.local.json as part of handling a missing-account condition. Persisting durable credentials from within a content/publication flow is high risk because it creates lasting access on the machine and could be abused by other processes, future prompts, or users if file protections are weak.

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: This is a true vulnerability: the skill explicitly warns not to ship an `sk_` token in browser code, then immediately shows an example that embeds an owner token in public page JavaScript. If copied by an agent or user, any visitor could extract the token from page source or DevTools and use it to access privileged Clawpage APIs, exposing page analytics or enabling broader account-level actions depending on token scope.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The README recommends a broad natural-language trigger phrase ('Use clawpage-skill to init') for invoking a capability that performs side effects, including account registration and token creation. In agentic environments, overly broad trigger phrasing can cause unintended invocation from user text or quoted examples, leading to unexpected execution of CLI commands and account initialization.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The router description says it should trigger proactively when a user wants to turn a long or complex response into a web URL or dashboard, which is broad enough to capture many ordinary requests. That can cause the agent to invoke Clawpage operations unexpectedly, leading to unintended publishing or creation of externally accessible content from user data.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill declares that initialization will automatically register a new user and save configuration to keys.local.json, but the router metadata and top-level behavior do not prominently warn that account creation and local credential/config file persistence may occur. Users may unknowingly authorize account provisioning and local secret storage, which creates consent and credential-handling risks.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The README instructs users to run an initialization flow that creates an account and stores a long-lived owner token in a local file, but the warning about the sensitivity of that token appears later and is easy to miss. In a skill/plugin context, this normalizes credential persistence and may lead users to create or store powerful secrets without understanding the exposure risk, especially if they later copy files, commit dotfiles, or use shared environments.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The skill metadata and description explicitly say to trigger proactively for broad classes of user requests, which increases the chance the router is invoked without clear user intent. In this context, unintended invocation matters because the routed sub-skills can create pages, publish content, initialize accounts, and write local configuration, turning an overbroad trigger into unintended side effects.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The router advertises an `init` sub-skill that will automatically register a new user and save configuration to `keys.local.json`, but this file provides no explicit requirement for informed user consent before those actions. Auto-registration plus local credential/config persistence can create accounts and store sensitive material on disk unexpectedly, which is unsafe if the router is triggered loosely or indirectly.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill directs the agent to publish content to a remote service and then write returned identifiers such as pageId into local project files, but it does not require an explicit user-facing confirmation immediately before those side effects occur. This is dangerous because publishing can expose data externally and local metadata writes create persistent state changes that the user may not expect from a drafting workflow.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The trigger conditions are broad enough that routine words like 'init' or 'setup' could cause the skill to run an initialization flow that creates an external account and writes credentials locally. In this context, accidental invocation is more dangerous than usual because the skill performs side effects without an explicit confirmation or warning step.

Missing User Warnings

High

Confidence: 96% confidence
Finding: The description omits a clear warning that the skill may automatically register a third-party account and persist authentication material to ./keys.local.json. That lack of disclosure undermines informed user consent and increases the risk of unexpected credential creation, secret sprawl, and unsafe local storage of tokens.

Missing User Warnings

Medium

Confidence: 85% confidence
Finding: The quick reference documents destructive deletion and removal of page protection (`pagecode: null`) without any warning about irreversible data loss or unintended public exposure. In an agent skill context, that omission is risky because an automated workflow may execute these operations without surfacing the consequences to the user.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill states there are 'zero privacy concerns' and 'zero GDPR compliance cost' even though it explicitly describes collection of timestamps and page identifiers. That is an overbroad and misleading compliance claim: even minimal telemetry can still be personal data or become linkable in context, which may cause operators to under-disclose tracking or skip required legal/privacy review.

Session Persistence

Medium

Category: Rogue Agent
Content: English docs. Chinese version: [docs/README.zh-CN.md](docs/README.zh-CN.md). `clawpage-skill` turns long text into interactive Clawpage web apps. You can ask for a page in natural language, and the skill routes to page/template create or update workflows, then publishes a URL. Official website: `https://clawpage.ai`
Confidence: 80% confidence
Finding: create or update workflows, then publishes a URL. Official website: `https://clawpage.ai` ## What you can do - Convert long stock-market analysis text into a chart-driven dashboard - Build insight

Session Persistence

Medium

Category: Rogue Agent
Content: - Path: `${CLAUDE_SKILL_DIR}/init/SKILL.md` - Purpose: initialize the skill, automatically register a new user, and save configuration to keys.local.json 2. `create page` - Path: `${CLAUDE_SKILL_DIR}/create-page/SKILL.md` - Purpose: create a new page project and publish
Confidence: 78% confidence
Finding: create page` - Path: `${CLAUDE_SKILL_DIR}/create-page/SKILL.md` - Purpose: create a new page project and publish 3. `update page` - Path: `${CLAUDE_SKILL_DIR}/update-page/SKILL.md` - Purpose: update

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.