Claw Desktop Pet - Enterprise-grade 7x24 AI Assistant

Security checks across malware telemetry and agentic risk

Overview

The skill is a disclosed desktop assistant setup with normal supply-chain and always-on app risks, but no artifact-backed evidence of hidden or malicious behavior.

Before installing, review the referenced GitHub repository and dependency manifests, avoid running the app as administrator, keep the OpenClaw bridge bound to localhost, and confirm how to stop the app or disable auto-restart. Non-Chinese readers should translate the documentation before running the setup commands.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Natural-Language Policy Violations

Medium

Confidence: 95% confidence
Finding: The skill description is entirely in Chinese and does not offer a language choice, translation, or explicit opt-in for non-Chinese readers. This can prevent reviewers and users from understanding installation steps, capabilities, and risks, which undermines informed consent and security review even though it is not direct code execution risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal