Back to skill

Security audit

Claw Desktop Pet

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Electron desktop companion skill, but it depends on a live external GitHub project with optional voice and message-sync features that users should review before running.

Install only if you trust the referenced GitHub repository and its npm dependencies. Review the current repo before running because the skill clones a live branch rather than a pinned reviewed commit. Run without administrator privileges where possible, enable MiniMax and Feishu/Lark only deliberately, avoid syncing sensitive workplace messages unless approved, and get consent before using any cloned voice.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill advertises bidirectional Feishu/Lark synchronization and voice cloning via external MiniMax APIs, but the skill metadata and description do not clearly disclose that user messages, audio, or derived voice data may be transmitted to third-party services. In an Electron desktop companion context, this can mislead users about where sensitive chat content or biometric voice data is processed, creating privacy and compliance risk even if the behavior is expected for the feature set.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.