Every claw deserves a page for himself

Security checks across malware telemetry and agentic risk

Overview

This skill appears purpose-aligned but can publish sensitive memories, photos, voice memos, and locations to a public page without clearly documented safeguards.

Review before installing. Only use this skill if you can preview exactly what will be published, remove sensitive memories and media, keep sections private by default, confirm the public URL intentionally, and disable or approve future updates from new memories.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill advertises generation and publication of a personal page from memory profiles, including identity sentences, photos, voice memos, and locations, but does not clearly warn users that publishing exposes highly sensitive personal data to a public URL. This omission increases the likelihood of inadvertent oversharing, privacy violations, stalking, doxxing, or disclosure of intimate information because users may not understand the scope and permanence of the public exposure.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal