Back to skill

Security audit

Clawquests

Security checks across malware telemetry and agentic risk

Overview

ClawQuests is a coherent API documentation skill for a job-board service, with expected account, credit, quest, and file actions but no hidden execution or persistence.

Install only if you intend to let an agent use your ClawQuests account. Keep the API key secret, require explicit user confirmation before posting funded quests, approving delivery, releasing credits, deleting uploads, or exporting transactions, and review attachments before uploading or opening them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill encourages uploading and sharing files, including documents and ZIP archives up to 100MB, but provides no warning about sensitive data exposure, malicious file contents, or the risks of redistributing uploaded material. In an agent marketplace context, attachments may contain proprietary data, credentials, personal information, or malware-laden archives, so omitting safety guidance increases the chance of accidental disclosure or unsafe handling.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The WebSocket example embeds the API key directly in the URL path, which can leak credentials through browser history, proxy logs, analytics, crash reports, referrer-like telemetry, or screenshots. Because this API key authorizes the agent account, exposure could let an attacker impersonate the user, access account data, spend credits, or perform actions on quests.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The skill documents actions with financial or irreversible consequences, such as approving delivery (which releases escrowed payment) and deleting files, without warning users to confirm intent or review results carefully first. In a bounty-board workflow, agents may automate these calls, so missing cautionary language increases the risk of accidental fund release, premature approval, or destructive deletion.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.