Clawdbot For Vcs

Security checks across malware telemetry and agentic risk

Overview

This VC workflow skill is not malicious, but it asks for broad Gmail, Calendar, and CRM authority while its approval and automation boundaries are too unclear for automatic approval.

Install only after reviewing the access carefully. Start in draft-only and review-only mode, disable auto-archive and automatic Affinity writes until tested, require explicit action-specific confirmations, avoid heartbeat or scheduled runs until scoped, and store API keys in a password manager or secret manager rather than shell startup files.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Rogue AgentSelf-Modification, Session Persistence
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (19)

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The document contains conflicting guidance: it says the AI should never send emails without approval, but earlier sections describe auto-responding and reviewing already auto-responded emails. In an email-enabled agent, contradictory safety requirements can lead operators to enable autonomous outbound messaging, increasing the risk of unauthorized communications, reputational damage, and data leakage.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The skill states a safety rule of 'NEVER message anyone except you,' but later instructs the AI to send daily briefings via channels like WhatsApp or Slack. This contradiction weakens the trust boundary and can lead to unauthorized external transmission of potentially sensitive email, calendar, and CRM data through additional services.

Intent-Code Divergence

Medium

Confidence: 84% confidence
Finding: The manifest claims the skill is 'safe by default' and will 'always ask before external actions,' but multiple features describe automatic email drafting, CRM syncing, logging, and event creation without any explicit confirmation boundaries. This mismatch can mislead users and downstream agents into performing sensitive external actions on email, calendar, or CRM systems without an informed approval step.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The troubleshooting instructions tell the user to print the full AFFINITY_API_KEY to the terminal with `echo $AFFINITY_API_KEY`. This can expose the secret in terminal scrollback, shell history capture workflows, screen recordings, logs, or shoulder-surfing scenarios, making credential compromise more likely.

Vague Triggers

Medium

Confidence: 81% confidence
Finding: The package summary advertises 'heartbeat-triggered' daily briefings but provides no nearby description of what event source triggers the action, how often it runs, or what guardrails limit mailbox/calendar access. In an agent skill that can read email, query CRM, and create calendar artifacts, vaguely scoped autonomous activation increases the risk of unintended background processing, excessive data access, or repeated actions without explicit user awareness.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The summary lists 'Auto-archives processed emails' as a feature without an adjacent warning that this changes mailbox state and could hide messages, disrupt triage, or cause users to miss important communications if the classification is wrong. Because this skill targets high-volume investor inboxes, silent or poorly signposted archival behavior can materially affect business workflows and reduce visibility into mistakes.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: Using the single word "send" as an approval token is ambiguous and can be matched accidentally in normal conversation or quoted text. In a skill that drafts emails and manages workflow actions, this increases the risk of unintended draft creation, sending, or state changes without sufficiently explicit confirmation.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: Using "yes" to approve pushing a memo to Affinity is too generic and can be triggered by unrelated conversational context. Because the action transmits potentially sensitive deal information to an external CRM, ambiguous approval materially raises the chance of unintended data disclosure or record modification.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The phrase "send both" is ambiguous in a multi-item workflow because the system may misidentify which two drafts or actions are being approved. In an email automation context, that can lead to unintended outbound communications to the wrong recipients or execution of the wrong pending actions.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The guide instructs users to base64-encode a password and export it as an environment variable, which is not secure storage and can expose secrets via shell history, process inspection, logs, or persistent environment files. Presenting this as a setup pattern without strong warnings normalizes unsafe credential handling for a tool with access to Gmail and Calendar.

Missing User Warnings

Medium

Confidence: 85% confidence
Finding: The documentation asks users to authenticate Gmail, Calendar, and CRM access but does not prominently warn about the breadth of access or the sensitivity of the data involved. In a workflow handling investor communications and company information, missing privacy guidance increases the likelihood of overbroad deployment and unsafe data exposure.

Missing User Warnings

Medium

Confidence: 78% confidence
Finding: This skill handles highly sensitive Gmail, calendar, and Affinity CRM data, yet the README emphasizes convenience and productivity without a prominent privacy and data-handling warning up front. That omission can lead users to grant broad access without understanding the sensitivity of founder communications, meeting metadata, and investment pipeline information, increasing the risk of unsafe deployment or over-permissioning.

Vague Triggers

Medium

Confidence: 81% confidence
Finding: Using broad phrases like 'what's my briefing?' or 'what do I need to know?' as triggers can cause accidental invocation during normal conversation. In an agent with access to Gmail, Calendar, and CRM, ambiguous activation can produce unintended data retrieval or side effects.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The workflow describes automatic archival and CRM logging actions as part of normal processing without an upfront, prominent warning that user data and external records will be modified. This creates a risk of silent mailbox changes and third-party data propagation that the user may not expect.

Vague Triggers

Medium

Confidence: 80% confidence
Finding: The skill advertises broad workflow automation across email, CRM, memo generation, and calendar management, but the manifest does not define invocation boundaries, approved triggers, or limits on autonomous behavior. In practice, this can enable overly broad interpretation by an agent, causing it to access or act on sensitive systems beyond what the user expected.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: This skill handles highly sensitive business data: investor email, deal flow, CRM records, notes, and calendar information. The manifest promotes automation over these systems without clear user-facing privacy warnings, data handling expectations, or notice that external writes may occur, increasing the risk of accidental disclosure, unauthorized record changes, or trust-damaging communications.

Session Persistence

Medium

Category: Rogue Agent
Content: # Create a password for the gog keyring # Store this somewhere safe (e.g., password manager) # Set environment variable (add to ~/.bashrc or ~/.zshrc) export GOG_KEYRING_PASSWORD=$(echo "YOUR_BASE64_PASSWORD" | base64 -d) ```
Confidence: 99% confidence
Finding: add to ~/.bashrc

Session Persistence

Medium

Category: Rogue Agent
Content: ### 2.2 Set Environment Variable ```bash # Add to ~/.bashrc or ~/.zshrc export AFFINITY_API_KEY="your_api_key_here" # Reload shell config
Confidence: 99% confidence
Finding: Add to ~/.bashrc

Session Persistence

Medium

Category: Rogue Agent
Content: ### 1.3 Set up gog keyring password ```bash # Create a password for the gog keyring # Store this somewhere safe (e.g., password manager) # Set environment variable (add to ~/.bashrc or ~/.zshrc)
Confidence: 97% confidence
Finding: Create a password for the gog keyring # Store this somewhere safe (e.g., password manager) # Set environment variable (add to ~/.bashrc or ~/.zshrc

VirusTotal

55/55 vendors flagged this skill as clean.

View on VirusTotal