clawr.ing

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward phone-calling skill, but users should understand it can place real calls through clawr.ing and store phone numbers locally.

Install only if you are comfortable giving the agent a clawr.ing API key, sending call details to that service, and keeping phone numbers or call preferences in a local memory file. Before any call, confirm the recipient, phone number, timing, retry behavior, and purpose.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The skill description is broad enough that an orchestrator could invoke it for common reminder or alert requests, which may lead to unintended phone-call actions. In a skill that can place real external calls, over-broad routing increases the risk of surprise contact, privacy violations, and unwanted charges even though the body text says not to call unless explicitly asked.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill instructs the agent to store phone numbers and preferences in a local memory file but does not provide a clear privacy notice, consent guidance, retention limits, or handling restrictions for this sensitive personal data. Because the skill deals with real phone numbers and contact preferences, unclear storage practices materially increase privacy and data-handling risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal