Security audit

Axioma Guard (English)

Security checks across malware telemetry and agentic risk

Overview

This security skill is not clearly malicious, but it overstates its scanning capability and has under-disclosed network behavior.

Review this before installing. Treat it as a limited skill-name reputation lookup, not a full code scanner. Install only if you are comfortable sharing skill names with Clawdex and with possible Merlin API submissions when vaccine generation runs; do not rely on its status output as proof that services are actually reachable.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The status command reports that Clawdex API is 'CONNECTÉ' and Merlin AI is 'EN LIGNE' without performing any health check. This can mislead users into trusting protections that may be unavailable, causing unsafe operational decisions and reducing detection effectiveness during outages or misconfiguration.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The code sends skill identifiers to the external Clawdex service and threat data to the Merlin service automatically, using endpoints that may be remote or plaintext HTTP depending on environment configuration. This can expose sensitive local inventory or analysis context to third parties or network observers without explicit consent, notice, authentication, or transport guarantees.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.