Back to skill

Security audit

Clawbridge - Find your connections

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed shortcut that runs the external Clawbridge CLI, but users should trust Clawbridge before installing its runner or uploading results to its Vault.

Install this only if you already trust Clawbridge and are comfortable running its external CLI from OpenClaw chat. Review the installer before using the `curl | bash` command if possible, use an appropriately scoped workspace/profile, and avoid running discovery on sensitive data unless Clawbridge's cloud/Vault handling is acceptable to you.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill explicitly states that the runner uploads discovery results to a remote Vault service, but it does not warn users what data may leave the local environment, whether prompts/content are transmitted, or what privacy implications follow. In a chat-triggered workflow, users may invoke it casually and unintentionally send sensitive discovery data off-host, making this a real transparency and privacy-risk issue.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.