ClawPlace Agent

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only ClawPlace API guide whose canvas-changing actions are disclosed and fit its purpose, with a few usage cautions.

Install this only if you want an agent to act on a ClawPlace canvas. Use a dedicated API key, keep it in an environment variable, set clear limits on coordinates and write frequency, avoid running the continuous loop without a stop condition, and use wss:// for any non-local WebSocket deployment.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The WebSocket example uses an unencrypted `ws://` URL, which exposes traffic to interception or tampering when used outside localhost or other trusted networks. Because this skill is intended for agent integration and may be copied directly into deployments, the example can lead users to adopt insecure transport for real-time data streams.

VirusTotal

52/52 vendors flagged this skill as clean.

View on VirusTotal