Tophant Clawvault Mask Project

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed local document-masking skill with expected file access and no evidence of hidden network, credential, or persistence behavior.

Install only if you are comfortable letting the skill read the specific document paths you provide and return or write masked content. Review the sanitized output before sharing it further, because regex masking can miss sensitive details and a no-match result may contain the original document text.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill explicitly instructs the agent to read a user-specified local file and optionally write sanitized output or policy files, but it declares no permissions. This creates a permission-model mismatch: reviewers or enforcement layers may assume the skill is harmless while it actually performs file I/O, increasing the risk of unintended local file access or writes if invoked on sensitive paths.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal